Persistent Data Retention in ViewComponent Framework by Ruby on Rails
CVE-2026-54497
6.8MEDIUM
What is CVE-2026-54497?
The ViewComponent framework for Ruby on Rails has a vulnerability where ViewComponent::Base instances improperly retain render-scoped objects across multiple render calls. This issue occurs in versions 4.0.0 to 4.12.0, leading to stale data being used across different requests, users, or threads. It can potentially allow unauthorized users to access privileged UI, generate outdated links based on obsolete Host headers, leak slot/helper state, and mix request contexts during concurrent rendering. The vulnerability was addressed in version 4.12.0.
Affected Version(s)
view_component >= 4.0.0, < 4.12.0
