CVE-2026-33635 Overview
CVE-2026-33635 is an ICS Injection vulnerability affecting the iCalendar Ruby library, a widely-used gem for handling iCalendar files in the RFC-5545 format. The vulnerability exists in versions 2.0.0 through 2.12.1, where improper sanitization of URI property values enables attackers to inject arbitrary calendar content through CRLF sequences in user-controlled input fields.
Critical Impact
Attackers can inject malicious calendar properties including fake attendees, modified URLs, alarms, or arbitrary event data that downstream calendar clients will process as legitimate content.
Affected Products
- iCalendar Ruby gem versions 2.0.0 to 2.12.1
- Applications generating .ics files from untrusted user input
- Calendar systems importing attacker-crafted ICS content
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33635 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33635
Vulnerability Analysis
The vulnerability stems from the Icalendar::Values::Uri class falling back to raw input strings when URI.parse fails to process a value. During serialization via the value_ical method, the library calls value.to_s without removing or escaping carriage return (\r) or newline (\n) characters. This allows attackers to embed CRLF sequences that terminate the original property and inject new ICS properties or components.
Multiple URI-based properties are vulnerable to this injection technique, including: url, source, image, organizer, attach, attendee, conference, and tzurl. Applications that generate .ics files from partially untrusted metadata are particularly at risk, as downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data.
Root Cause
The root cause is CWE-93 (Improper Neutralization of CRLF Sequences) in the Icalendar::Values::Uri class. When URI.parse fails to parse a supplied value, the library stores the raw input string. During ICS serialization, the value_ical method outputs this raw string directly without sanitizing control characters. Since the ICS format uses CRLF line endings to delimit properties, an attacker can craft input containing \r\n sequences to break out of the URI property context and inject arbitrary calendar data.
Attack Vector
This vulnerability is exploitable over the network by providing malicious URI values to any application that uses the iCalendar gem to generate .ics files. The attack requires user interaction—a victim must import or process the maliciously crafted calendar file. Attackers can target any URI-based property field, injecting payloads that add fake attendees, modify event URLs, create alarms, or insert entirely new calendar components. The injected content appears legitimate to downstream calendar applications and users.
The security patch addresses this vulnerability by implementing control character sanitization:
module Values
class Uri < Value
+ CONTROL_BYTES_REGEX = /[\\x00-\\x1F\\x7F]/.freeze
def initialize(value, *args)
parsed = URI.parse(value) rescue value
super parsed, *args
end
def value_ical
- value.to_s
+ value.to_s.gsub(CONTROL_BYTES_REGEX) { |char| "%%%02X" % char.ord }
end
end
Source: GitHub Commit Update
Detection Methods for CVE-2026-33635
Indicators of Compromise
- ICS files containing unexpected properties such as additional ATTENDEE, ALARM, or URL entries not present in the original source data
- Calendar events with suspicious URLs or organizer email addresses that differ from expected values
- User-submitted URI fields containing encoded or raw CRLF sequences (%0D%0A, \r\n)
Detection Strategies
- Implement input validation logging to detect URI values containing control characters or CRLF sequences before ICS generation
- Monitor generated ICS file content for anomalous property counts compared to input data
- Audit Ruby gem dependencies using bundler-audit or similar tools to identify vulnerable iCalendar versions
Monitoring Recommendations
- Enable application-level logging for all URI-based property assignments in calendar generation workflows
- Implement integrity checks comparing input field counts against generated ICS property counts
- Set up alerts for user input containing control characters in calendar-related forms or APIs
How to Mitigate CVE-2026-33635
Immediate Actions Required
- Upgrade the iCalendar Ruby gem to version 2.12.2 or later immediately
- Audit all applications that generate ICS files from user-provided input
- Review recently generated calendar files for signs of injection attacks
- Implement input validation to strip control characters from URI fields before processing
Patch Information
The vulnerability is addressed in iCalendar version 2.12.2. The patch modifies the value_ical method in lib/icalendar/values/uri.rb to percent-encode all control bytes (characters in the ranges \\x00-\\x1F and \\x7F) using a regex-based sanitization approach. For full technical details, refer to the GitHub Security Advisory and the security patch commit.
Workarounds
- Implement application-level input sanitization to strip or reject CRLF characters from all URI-based fields before passing to the iCalendar library
- Use a validation layer that rejects any input containing control characters (\\x00-\\x1F, \\x7F)
- Consider implementing Content Security Policy for calendar file downloads to reduce exposure
# Update the iCalendar gem to the patched version
bundle update icalendar
# Or specify the minimum safe version in Gemfile
# gem 'icalendar', '>= 2.12.2'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
