CVE-2026-27482

EUVD-2026-7716

21.02.2026, 10:16

Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
anyscale	ray	𝑥 < 2.54.0

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
ray_project	ray	𝑥 < 2.54.0	CNA

Known Exploits!

https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq

Common Weakness Enumeration

CWE-396 - Declaration of Catch for Generic Exception
Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

References

https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4

https://github.com/ray-project/ray/pull/60526

https://github.com/ray-project/ray/releases/tag/ray-2.54.0

https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq