Persistent Data Retention in ViewComponent Framework by Ruby on Rails
CVE-2026-54497

6.8MEDIUM

Key Information:

Vendor
CVE Published:
17 July 2026

What is CVE-2026-54497?

The ViewComponent framework for Ruby on Rails has a vulnerability where ViewComponent::Base instances improperly retain render-scoped objects across multiple render calls. This issue occurs in versions 4.0.0 to 4.12.0, leading to stale data being used across different requests, users, or threads. It can potentially allow unauthorized users to access privileged UI, generate outdated links based on obsolete Host headers, leak slot/helper state, and mix request contexts during concurrent rendering. The vulnerability was addressed in version 4.12.0.

Affected Version(s)

view_component >= 4.0.0, < 4.12.0

References

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.