Description

Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher.

INFO

Published Date :

2026-02-21T09:18:26.027Z

Last Modified :

2026-02-24T18:52:03.874Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27482 vulnerability.

Vendors Products
Anyscale
  • Ray
Ray Project
  • Ray
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27482.

URL Resource
https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4 cve-icon cve-icon
https://github.com/ray-project/ray/pull/60526 cve-icon cve-icon
https://github.com/ray-project/ray/releases/tag/ray-2.54.0 cve-icon cve-icon
https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact