AI Threat Alert

CVE-2023-6021: Ray: LFI allows unauthenticated file read

GHSA-3pww-qvr8-6mhp CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published November 16, 2023
CISO Take

Any Ray cluster reachable over the network is critically exposed — no credentials required to read arbitrary server files including API keys, cloud credentials, and model artifacts. With an EPSS of 0.87, exploitation is highly probable and likely active. Patch to Ray 2.8.1+ immediately; if patching is blocked, isolate Ray nodes from public networks and treat all secrets stored on Ray nodes as compromised.

What is the risk?

Critical. CVSS 9.3 (network-accessible, no auth, no user interaction, high confidentiality impact) combined with EPSS 0.87317 signals active or near-certain exploitation in the wild. Ray clusters are common in cloud ML environments and frequently misconfigured with port 8265 or 8000 exposed. AI/ML infrastructure is a high-value target due to the concentration of credentials, proprietary models, and sensitive training data on compute nodes.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Ray pip < 2.8.1 2.8.1
42.9K OpenSSF 5.7 873 dependents Pushed 2d ago 83% patched ~139d to patch Full package profile →

Do you use Ray? You're affected.

How severe is it?

CVSS 3.1
9.3 / 10
EPSS
37.1%
chance of exploitation in 30 days
Higher than 98% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 37%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I Low
A None

What should I do?

6 steps

  1. Patch immediately: upgrade to Ray 2.8.1+.

  2. If patching is blocked, restrict network access to Ray ports (8265, 8000, 6379, 10001) via firewall — these must never be internet-facing.

  3. Assume compromise if Ray was network-accessible before patching: rotate all credentials stored on Ray nodes (cloud keys, API tokens, SSH keys, DB passwords).

  4. Enable access logging on Ray endpoints and alert on path traversal patterns (../, ..\, %2e%2e%2f).

  5. Deploy Ray behind an authenticated reverse proxy if network isolation is not immediately feasible.

  6. Audit Ray node filesystems for secrets using tools like truffleHog or gitleaks.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Inference AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1 - AI system security and resilience
NIST AI RMF
MANAGE-2.2 - Risk response — sustaining deployed AI value
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-6021?

Any Ray cluster reachable over the network is critically exposed — no credentials required to read arbitrary server files including API keys, cloud credentials, and model artifacts. With an EPSS of 0.87, exploitation is highly probable and likely active. Patch to Ray 2.8.1+ immediately; if patching is blocked, isolate Ray nodes from public networks and treat all secrets stored on Ray nodes as compromised.

Is CVE-2023-6021 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6021, increasing the risk of exploitation.

How to fix CVE-2023-6021?

1. Patch immediately: upgrade to Ray 2.8.1+. 2. If patching is blocked, restrict network access to Ray ports (8265, 8000, 6379, 10001) via firewall — these must never be internet-facing. 3. Assume compromise if Ray was network-accessible before patching: rotate all credentials stored on Ray nodes (cloud keys, API tokens, SSH keys, DB passwords). 4. Enable access logging on Ray endpoints and alert on path traversal patterns (../, ..\, %2e%2e%2f). 5. Deploy Ray behind an authenticated reverse proxy if network isolation is not immediately feasible. 6. Audit Ray node filesystems for secrets using tools like truffleHog or gitleaks.

What systems are affected by CVE-2023-6021?

This vulnerability affects the following AI/ML architecture patterns: distributed training pipelines, model serving, hyperparameter tuning, reinforcement learning environments, MLOps pipelines.

What is the CVSS score for CVE-2023-6021?

CVE-2023-6021 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 37.08%.

What is the AI security impact?

Affected AI Architectures

distributed training pipelinesmodel servinghyperparameter tuningreinforcement learning environmentsMLOps pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.6.1
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

Exploitation Scenario

Adversary scans internet-facing hosts for Ray dashboard (port 8265) or Ray Serve (port 8000) — both commonly exposed in misconfigured cloud ML environments. Once a Ray instance is identified, attacker sends a crafted GET request to the log API endpoint with a path traversal payload targeting high-value files: ../../../../root/.env (API keys), ../../../../home/ubuntu/.aws/credentials (cloud access), ../../../../root/.ssh/id_rsa (SSH private key). With credentials harvested, attacker pivots from the ML cluster to broader cloud infrastructure, CI/CD pipelines, or model registries. EPSS of 0.87 indicates this exploit pattern is already operational.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-29 Path Traversal: '..filename' Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

References

Timeline

Published
November 16, 2023
Last Modified
January 9, 2025
First Seen
March 24, 2026

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2023/CVE-2023-6021.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2023-6019 9.8

Ray: unauthenticated RCE via dashboard command injection

Same package: ray
CRITICAL CVE-2023-48022 9.8

Ray: unauthenticated RCE via job submission API

Same package: ray
CRITICAL CVE-2023-6020 9.3

Ray: unauthenticated LFI exposes entire filesystem

Same package: ray
HIGH CVE-2026-32981 7.5

Ray Dashboard: unauthenticated path traversal file read

Same package: ray
MEDIUM CVE-2026-54683 6.5

nl-portal documenten-api: IDOR exposes citizen documents

Same package: ray
Back to Threat Feed