iCalendar Library Vulnerability: ICS Injection Flaw Uncovered

A critical vulnerability, CVE-2026-33635, has been identified in the popular iCalendar Ruby library. CVE Notify reports that versions prior to 2.12.2 fail to properly sanitize URI property values within iCalendar files. This oversight allows attackers to inject malicious content, effectively adding arbitrary lines to the .ics output. The flaw stems from how the Icalendar::Values::Uri class handles URI parsing failures, falling back to raw input and then serializing it without stripping carriage return (\r) or newline (\n) characters. This means a carefully crafted payload can terminate legitimate event data and insert new, malicious calendar properties or components.

According to CVE Notify, this vulnerability opens the door for ICS injection through various fields, including URLs, sources, attachments, organizers, attendees, and even conference details. Applications that process .ics files using untrusted metadata are particularly at risk. The consequence? Downstream calendar clients or importers could be tricked into accepting attacker-controlled data as legitimate, potentially leading to unauthorized attendee additions, modified event details, or rogue alarms. The iCalendar library has since released version 2.12.2 to address this security gap.

What This Means For You

Developers using the iCalendar Ruby library should immediately update to version 2.12.2 or later to patch the ICS injection vulnerability. For applications processing calendar data from potentially untrusted sources, implement strict input validation and sanitization on all URI properties before generating or parsing `.ics` files.

ID	Type	Indicator
CVE-2026-33635	Code Injection	Software: iCalendar Ruby library, Versions: < 2.12.2, Vulnerable Component: .ics serialization, specifically Icalendar::Values::Uri, Description: Does not properly sanitize URI property values, allowing ICS injection via CRLF characters in input.
CVE-2026-33635	Information Disclosure	Software: iCalendar Ruby library, Versions: < 2.12.2, Vulnerable Component: .ics serialization, Description: Attackers can inject arbitrary calendar lines, potentially leading to modified event data (attendees, URLs, alarms) in downstream calendar clients.
CVE-2026-33635	Path Traversal	Software: iCalendar Ruby library, Versions: < 2.12.2, Vulnerable Component: .ics serialization, Description: The vulnerability allows injection through URI property values, which can be exploited via fields like url, source, image, organizer, attach, attendee, conference, tzurl.

Type

Indicator

CVE-2026-33635

Code Injection

Software: iCalendar Ruby library, Versions: < 2.12.2, Vulnerable Component: .ics serialization, specifically Icalendar::Values::Uri, Description: Does not properly sanitize URI property values, allowing ICS injection via CRLF characters in input.

CVE-2026-33635

Information Disclosure

Software: iCalendar Ruby library, Versions: < 2.12.2, Vulnerable Component: .ics serialization, Description: Attackers can inject arbitrary calendar lines, potentially leading to modified event data (attendees, URLs, alarms) in downstream calendar clients.

CVE-2026-33635

Path Traversal

Software: iCalendar Ruby library, Versions: < 2.12.2, Vulnerable Component: .ics serialization, Description: The vulnerability allows injection through URI property values, which can be exploited via fields like url, source, image, organizer, attach, attendee, conference, tzurl.

iCalendar Library Vulnerability: ICS Injection Flaw Uncovered

What This Means For You

Related ATT&CK Techniques

Indicators of Compromise