{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27482", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T19:46:03.540Z", "datePublished": "2026-02-21T09:18:26.027Z", "dateUpdated": "2026-02-24T18:52:03.874Z"}, "containers": {"cna": {"title": "Ray: Dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)", "problemTypes": [{"descriptions": [{"cweId": "CWE-396", "lang": "en", "description": "CWE-396: Declaration of Catch for Generic Exception", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq"}, {"name": "https://github.com/ray-project/ray/pull/60526", "tags": ["x_refsource_MISC"], "url": "https://github.com/ray-project/ray/pull/60526"}, {"name": "https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4", "tags": ["x_refsource_MISC"], "url": "https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4"}, {"name": "https://github.com/ray-project/ray/releases/tag/ray-2.54.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ray-project/ray/releases/tag/ray-2.54.0"}], "affected": [{"vendor": "ray-project", "product": "ray", "versions": [{"version": "< 2.54.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T09:18:26.027Z"}, "descriptions": [{"lang": "en", "value": "Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher."}], "source": {"advisory": "GHSA-q5fh-2hc8-f6rq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:51:47.465400Z", "id": "CVE-2026-27482", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:52:03.874Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27482", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T18:51:47.465400Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:51:56.304Z"}}], "cna": {"title": "Ray: Dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)", "source": {"advisory": "GHSA-q5fh-2hc8-f6rq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ray-project", "product": "ray", "versions": [{"status": "affected", "version": "< 2.54.0"}]}], "references": [{"url": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq", "name": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ray-project/ray/pull/60526", "name": "https://github.com/ray-project/ray/pull/60526", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4", "name": "https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ray-project/ray/releases/tag/ray-2.54.0", "name": "https://github.com/ray-project/ray/releases/tag/ray-2.54.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-396", "description": "CWE-396: Declaration of Catch for Generic Exception"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T09:18:26.027Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27482", "state": "PUBLISHED", "dateUpdated": "2026-02-24T18:52:03.874Z", "dateReserved": "2026-02-19T19:46:03.540Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-21T09:18:26.027Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anyscale:ray:*:*:*:*:*:*:*:*", "matchCriteriaId": "63751A45-3056-49B1-A840-35B9E6782CD1", "versionEndExcluding": "2.54.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher."}, {"lang": "es", "value": "Ray es un motor de c\u00f3mputo de IA. En las versiones 2.53.0 e inferiores, el servidor HTTP del panel de control bloquea POST/PUT de origen de navegador pero no cubre DELETE, y los endpoints DELETE clave no est\u00e1n autenticados por defecto. Si el panel de control/agente es accesible (p. ej., --dashboard-host=0.0.0.0), una p\u00e1gina web a trav\u00e9s de la reconfiguraci\u00f3n de DNS o el acceso a la misma red puede emitir solicitudes DELETE que apagan Serve o eliminan trabajos sin interacci\u00f3n del usuario. Esto supone un impacto en la disponibilidad de tipo drive-by. La soluci\u00f3n para esta vulnerabilidad es actualizar a Ray 2.54.0 o superior."}], "id": "CVE-2026-27482", "lastModified": "2026-03-04T18:59:13.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-21T10:16:12.380", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/ray-project/ray/pull/60526"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/ray-project/ray/releases/tag/ray-2.54.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-396"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.54.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ray", "source": "cna", "vendor": "ray-project"}, "product": "ray", "vendor": "ray_project"}], "analysis": {"en": {"generated_at": "2026-04-17T16:48:33.466904+00:00", "value": {"mitigation_remediation": ["Upgrade Ray to version 2.54.0 or newer, which adds authentication to the deleted endpoints and restricts dashboard exposure.", "Configure the dashboard host to listen only on localhost or to a trusted internal subnet, preventing unauthenticated access from external networks.", "Disable or remove the DELETE endpoints from the dashboard API if the upgrade cannot be applied immediately, acting as a temporary mitigation."], "summary": {"action": "Update immediately", "impact": "Denial of Service via unauthenticated deletes"}, "threat_synthesis": {"affected_systems": "All Ray deployments that expose the dashboard host to 0.0.0.0 or otherwise allow network access and run version 2.53.0 or earlier are affected. The issue is corrected in Ray version 2.54.0 and higher, which implements authentication for delete endpoints and restricts access to the dashboard host.", "description_and_impact": "Ray, an AI compute engine, has a notable vulnerability in its dashboard HTTP server. The server blocks browser\u2011origin POST and PUT requests but leaves DELETE unprotected, and the critical DELETE endpoints are unauthenticated out of the box. When a dashboard or agent instance is publicly reachable, an attacker can trigger these DELETE calls from a browser, causing the Serve component to shut down or removing jobs from the system without any user interaction.", "risk_and_exploitability": "The CVSS score of 5.9 marks this flaw as medium severity, while the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation at present. Attackers who can reach the dashboard\u2014through DNS rebinding, same\u2011network exposure, or a publicly accessible host\u2014can issue unauthenticated DELETE requests to shut down Serve or delete jobs, leading to a denial of service. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog."}}}}, "created": "2026-02-23T14:32:13.232436+00:00", "updated": "2026-04-17T17:00:10.158977+00:00", "vendors": ["ray_project", "ray_project$PRODUCT$ray"]}