ray
Behoben in
2.8.1
2.8.1
A path traversal vulnerability has been discovered in the Ray Dashboard, a web-based interface for managing Ray clusters. This flaw, present in versions prior to 2.8.1, allows attackers to bypass intended access controls and potentially retrieve sensitive files from the server. The vulnerability stems from insufficient validation of user-supplied paths within the static file handling component. Upgrading to Ray 2.8.1 resolves this issue.
The primary impact of this vulnerability is unauthorized access to files on the Ray Dashboard server. An attacker could leverage path traversal sequences (e.g., ../../) within requests to the dashboard to navigate outside the designated static file directory. This could expose configuration files, source code, or other sensitive data stored on the system. While the vulnerability is limited to local file disclosure, the potential for data compromise is significant, particularly if the server hosts critical Ray cluster configurations or secrets. The blast radius extends to any system running a vulnerable Ray Dashboard instance.
This vulnerability was publicly disclosed on 2026-03-17. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Due to the relatively recent disclosure and lack of public exploits, the probability of exploitation is considered low to medium.
Organizations deploying Ray clusters with the Ray Dashboard enabled are at risk, particularly those running versions 0.0 through 2.8.1. Shared hosting environments where multiple users share the same Ray Dashboard instance are especially vulnerable, as an attacker could potentially access files belonging to other users.
• python / server:
import os
import requests
url = 'http://your_ray_dashboard_ip:8265/static/../../../../etc/passwd'
response = requests.get(url)
if response.status_code == 200:
print('Potential Path Traversal Detected: ', response.text[:100]) # Print first 100 chars
else:
print('No Path Traversal Detected')• linux / server:
find / -name 'ray_dashboard.conf' -print 2>/dev/null | while read file;
do
grep -q 'path_traversal_bypass' $file && echo "Potential Path Traversal Configuration Found: $file";
donedisclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade Ray to version 2.8.1 or later, which includes the necessary fix for this path traversal vulnerability. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing potentially malicious path traversal sequences (e.g., '../', './..'). Additionally, restrict access to the Ray Dashboard (default port 8265) to trusted networks and users. Regularly review and audit file permissions within the static file directory to ensure that only authorized files are accessible. After upgrade, confirm by attempting to access files outside the static directory via the dashboard and verifying that access is denied.
Aktualisieren Sie Ray auf Version 2.8.1 oder höher. Dies behebt die Path-Traversal-Schwachstelle im Ray Dashboard. Das Update kann mit dem Python-Paketmanager (pip) durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32981 is a path traversal vulnerability in Ray Dashboard versions 0.0 - 2.8.1, allowing attackers to access files outside the intended static directory.
You are affected if you are using Ray Dashboard versions 0.0 through 2.8.1. Upgrade to 2.8.1 or later to mitigate the risk.
The primary fix is to upgrade Ray Dashboard to version 2.8.1 or later. Consider WAF rules as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's nature makes exploitation likely.
Refer to the official Ray security advisory for detailed information and updates: [https://ray.io/security/](https://ray.io/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.