CVE-2026-34060 Overview
CVE-2026-34060 is a code injection vulnerability in Ruby LSP, an implementation of the language server protocol for Ruby. The vulnerability exists because the rubyLsp.branch VS Code workspace setting was interpolated without proper sanitization into a generated Gemfile. This allows attackers to achieve arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json file.
Critical Impact
Arbitrary Ruby code execution when opening malicious projects in VS Code with Ruby LSP extension installed
Affected Products
- Shopify.ruby-lsp versions prior to 0.10.2
- ruby-lsp versions prior to 0.26.9
- VS Code installations with vulnerable Ruby LSP extension
Discovery Timeline
- March 31, 2026 - CVE-2026-34060 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34060
Vulnerability Analysis
This vulnerability (CWE-94: Improper Control of Generation of Code) arises from insufficient input sanitization in the Ruby LSP extension's handling of workspace settings. When a developer opens a VS Code project, the extension reads configuration from .vscode/settings.json and uses the rubyLsp.branch setting value directly when generating a Gemfile for the project's language server environment.
The lack of sanitization means that specially crafted values in the branch setting can break out of the intended string context and inject arbitrary Ruby code. This code executes with the same privileges as the developer's user account when the Gemfile is processed by Bundler.
Root Cause
The root cause is improper input validation when interpolating user-controlled workspace settings into dynamically generated Ruby code. The rubyLsp.branch setting value was directly embedded into the generated Gemfile without escaping or validating the input, creating a code injection vulnerability. Any malicious content in this setting would be interpreted as Ruby code during Gemfile evaluation.
Attack Vector
The attack requires local access and user interaction. An attacker must convince a victim to open a malicious project (e.g., by cloning a repository containing a crafted .vscode/settings.json file). When the victim opens this project in VS Code with the vulnerable Ruby LSP extension installed, the malicious code embedded in the workspace settings executes automatically.
This attack vector is particularly concerning for developers who frequently clone and review external repositories, as simply opening a project triggers the vulnerability without any additional user action beyond the initial project opening.
The vulnerability mechanism works as follows: The malicious .vscode/settings.json file contains a crafted rubyLsp.branch value with embedded Ruby code. When Ruby LSP generates the internal Gemfile, this value is interpolated without sanitization. Bundler then evaluates this Gemfile, executing the injected code with the developer's privileges. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-34060
Indicators of Compromise
- Suspicious .vscode/settings.json files in cloned repositories containing unusual rubyLsp.branch values
- Unexpected process execution originating from VS Code or Ruby LSP processes
- Anomalous network connections initiated during project opening in VS Code
- Presence of unfamiliar Ruby code in generated Gemfiles within the Ruby LSP cache directories
Detection Strategies
- Monitor file system activity for creation or modification of .vscode/settings.json files with suspicious content patterns
- Implement code review processes for .vscode/ directories in external repositories before opening projects
- Deploy endpoint detection to identify Ruby process spawning unexpected child processes during VS Code usage
- Use SentinelOne's behavioral AI to detect anomalous code execution patterns originating from development tools
Monitoring Recommendations
- Enable logging for VS Code extension activities and Ruby LSP operations
- Monitor for unexpected outbound network connections from development environments
- Track process genealogy to identify suspicious child processes spawned by VS Code or Bundler
- Implement alerting for attempts to modify or access sensitive files from Ruby processes
How to Mitigate CVE-2026-34060
Immediate Actions Required
- Update Shopify.ruby-lsp extension to version 0.10.2 or later
- Update ruby-lsp gem to version 0.26.9 or later
- Review recently opened projects for suspicious .vscode/settings.json files
- Audit development machines for signs of compromise if unknown repositories were recently opened
Patch Information
Shopify has released patched versions that properly sanitize the rubyLsp.branch setting before interpolation. Users should update to Shopify.ruby-lsp version 0.10.2 or ruby-lsp version 0.26.9. The fix ensures that workspace settings are properly escaped before being included in generated Gemfiles, preventing code injection attacks.
For more information, see the GitHub Release v0.26.9 and the GitHub Security Advisory GHSA-c4r5-fxqw-vh93.
Workarounds
- Temporarily disable the Ruby LSP extension until updates can be applied
- Manually inspect .vscode/settings.json files in repositories before opening projects
- Remove or reset the rubyLsp.branch setting from workspace configurations in untrusted projects
- Configure VS Code workspace trust settings to restrict extension functionality in untrusted folders
# Update Ruby LSP gem to patched version
gem update ruby-lsp
# Or install specific patched version
gem install ruby-lsp -v '0.26.9'
# Verify installed version
gem list ruby-lsp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
