MEDIUM🇬🇧 English

CVE-2026-27482

CVSS 5.9v3.1pub. 2026-02-21upd. 2026-03-04

Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
  • Anyscale Ray

    APP
    Anyscale
    < 2.54.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
DoS
CWE
Referencje

Powiązane podatności

CVE-2023-48022CRITICAL9.8PL ✓ten sam produkt

Anyscale Ray — RCE przez API przesyłania zadań (job submission API)

CVE-2023-48023CRITICAL9.1PL ✓ten sam produkt

SSRF w Anyscale Ray poprzez endpoint /log_proxy

CVE-2026-41486HIGH8.9ten sam produkt

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow ext...

CVE-2026-32981HIGH8.7ten sam produkt

A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2....