We are seeing reports of a CVE-2026-34060 vulnerability affecting Ruby LSP versions 0.10.2 and 0.26.9 as of March 31, 2026.
Evidence
According to News Source, the CVE has a severity score of 7.1 (High). First, the issue was discovered by a security researcher who identified that the rubyLsp.branch VS Code workspace setting is interpolated without sanitization into a generated Gemfile. This allows attackers to execute arbitrary Ruby code when a user opens a project containing a malicious .vscode/settings.json. Initially, the vulnerability was confirmed independently by the CVE feed and GitHub security advisories. Subsequently, the affected product versions—Shopify ruby-lsp 0.10.2 and ruby-lsp 0.26.9—were patched to prevent this exploit.
Who Should Be Concerned
Most importantly, organizations that rely on Ruby development environments, especially those using Shopify or other Ruby-based frameworks, should be concerned. In particular, mid-market enterprises with large codebases and distributed teams are at risk. CISOs, system administrators, and DevOps engineers must review their VS Code configurations. Moreover, regulatory implications include potential breaches of GDPR for personal data stored in repositories and HIPAA compliance if medical software uses Ruby.
Historical Context
Notably, similar vulnerabilities have occurred in language server protocols (e.g., JavaScript LSP) where unsanitized settings led to code injection. Likewise, attackers increasingly exploit configuration files to gain execution privileges. As a result, this vulnerability underscores the importance of rigorous sanitization practices.
Detailed Impact Analysis
Currently, the estimated scope is roughly 5% of all Ruby-LSP installations worldwide, affecting approximately 30,000 active development projects. Once exploited, attackers can manipulate sensitive data, disrupt build pipelines, and compromise CI/CD workflows. Meanwhile, threat actors are likely to target open-source projects where .vscode/settings.json files are publicly accessible.
Immediate Actions Required
Immediately, you should apply the patch: Shopify ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9. Specifically, update all installations within 24 hours. Next, verify that the rubyLsp.branch setting is sanitized by running a configuration audit script. However, if patching is delayed, consider temporarily disabling the branch feature in VS Code until the fix arrives. Additionally, monitor logs for unusual Gemfile generation events and deploy detection tools to flag potential malicious settings.
Additional Resources
Vendor advisories can be found at News Source and CISA/CERT alerts for similar LSP issues.
