Platform
python
Component
ray
Fixed in
2.8.1
2.8.1
A path traversal vulnerability has been discovered in the Ray Dashboard, a web-based interface for managing Ray clusters. This flaw, affecting versions prior to 2.8.1, allows attackers to bypass intended access controls and potentially disclose sensitive files on the system. The vulnerability stems from insufficient validation of user-supplied paths within the static file handling mechanism. Upgrading to version 2.8.1 resolves this issue.
The primary impact of this vulnerability is the potential for local file disclosure. An attacker could leverage the path traversal sequences (e.g., ../../) to navigate outside the intended static directory and access arbitrary files on the server hosting the Ray Dashboard. This could include configuration files, source code, or other sensitive data. The blast radius is limited to the server hosting the dashboard and the files accessible from that server. While not directly leading to remote code execution, the disclosed information could be used to further compromise the system or reveal valuable insights into the Ray cluster's configuration and operation.
This vulnerability was publicly disclosed on 2026-03-17. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not widely available, but the nature of path traversal vulnerabilities makes it likely that such exploits will emerge.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the Ray Dashboard to version 2.8.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing traversal sequences (e.g., ../, ../../). Additionally, restrict access to the Ray Dashboard to trusted networks and users. Regularly review and audit file permissions within the static directory to ensure that only authorized files are accessible. Implement input validation and sanitization on all user-supplied paths to prevent future path traversal vulnerabilities.
Update Ray to version 2.8.1 or higher. This will resolve the path traversal vulnerability in the Ray dashboard. The update can be performed using the Python package manager (pip).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32981 is a path traversal vulnerability in Ray Dashboard versions 0.0 - 2.8.1, allowing attackers to access files outside the intended static directory.
You are affected if you are using Ray Dashboard versions 0.0 through 2.8.1. Upgrade to 2.8.1 or later to mitigate the risk.
The primary fix is to upgrade Ray Dashboard to version 2.8.1 or later. Consider WAF rules as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's nature makes exploitation likely.
Refer to the official Ray security advisory for detailed information and updates: [https://ray.io/security/](https://ray.io/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.