RubySec

Providing security resources for the Ruby community

CVE-2026-54497 (view_component): Reused Component Instances Retain Stale Render Context

Reused Component Instances Retain Stale Render Context

Published: June 04, 2026

SECURITY IDENTIFIERS

GEM

view_component

SEVERITY

CVSS v3.x: 6.8 (Medium)

UNAFFECTED VERSIONS

< 4.0.0

PATCHED VERSIONS

>= 4.12.0

DESCRIPTION

Summary

ViewComponent::Base instances retain multiple render-scoped objects across calls to render_in. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale helpers, controller, request, view_flow, format/variant details, and slot child context from an earlier render.

This can cause authorization-aware components to render privileged UI for a lower-privileged user, generate links using a stale Host header, leak slot/helper state, and mix request context under concurrent rendering.

RELATED