## Ruby-LSP v0.26.9 Patches Critical Code Execution Flaw in VS Code Workspace Settings A critical security vulnerability in the Ruby-LSP extension for VS Code has been patched, exposing developers to arbitrary code execution simply by opening a malicious project. The flaw, tracked as CVE-2026-34060, resided in the handling of the `rubyLsp.branch` workspace setting. This setting was interpolated without sanitization into a generated Gemfile, creating a direct path for an attacker to inject and execute arbitrary Ruby code. The attack vector is alarmingly simple: a user only needs to open a project containing a malicious `.vscode/settings.json` file. The vulnerability specifically affects the `ruby-lsp` package, a language server for Ruby maintained by Shopify. The security advisory confirms that the issue was present in version 0.26.8 and has been resolved in the newly released version 0.26.9. This update is marked as a security priority, prompting automated dependency managers like Renovate to flag the change. The flaw's mechanism bypasses typical security boundaries by exploiting the trust model of VS Code workspace settings, which are automatically applied when a workspace is opened and trusted. The implications extend beyond VS Code. The advisory explicitly warns that other code editors supporting similar workspace settings—which are automatically applied upon opening and trusting a workspace—could also be vulnerable to analogous exploitation patterns. This raises the risk for developers across multiple integrated development environments (IDEs) who rely on language server protocol (LSP) extensions for Ruby. The patch underscores the persistent security challenges in developer tooling, where configuration files intended for convenience can become potent attack vectors if not rigorously sanitized. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2026-34060, VS Code, Ruby, Supply Chain Security, Code Execution - **Credibility**: unverified - **Published**: 2026-03-28 01:26:56 - **ID**: 38610 - **URL**: https://whisperx.ai/en/intel/38610