CVE-2026-27482

EUVD-2026-7716

21.02.2026, 10:16

Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
anyscale	ray	𝑥 < 2.54.0

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq

Common Weakness Enumeration

CWE-396 - Declaration of Catch for Generic Exception
Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

References

https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4

https://github.com/ray-project/ray/pull/60526

https://github.com/ray-project/ray/releases/tag/ray-2.54.0

https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq