CVE-2026-27482 — MEDIUM (CVSS 5.9) AI Security Vulnerability

Q: Is CVE-2026-27482 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27482, increasing the risk of exploitation.

Q: How to fix CVE-2026-27482?

1. PATCH: Upgrade all Ray deployments to 2.54.0 immediately — the fix gates DELETE on the same browser-origin middleware as POST/PUT. 2. NETWORK: Remove --dashboard-host=0.0.0.0; bind to 127.0.0.1 or a restricted management interface. 3. AUTH: Enable dashboard token authentication via --dashboard-token-length or RAY_DASHBOARD_TOKEN environment variable. 4. KUBERNETES: Apply NetworkPolicies restricting ports 8265 and 52365 to authorized management pods and IPs only; audit existing NodePort or LoadBalancer services exposing Ray. 5. DETECTION: Alert on DELETE requests to /api/serve/applications/ and /api/jobs/* from unexpected source IPs in your API gateway or service mesh logs. 6. AUDIT: Verify no Ray dashboard ports are reachable from the internet or untrusted VLANs in any environment.

Q: What systems are affected by CVE-2026-27482?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ml ops platforms, distributed inference.

Q: What is the CVSS score for CVE-2026-27482?

CVE-2026-27482 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.06%.

CISO Take

If you're running Ray with the dashboard exposed to any network (--dashboard-host=0.0.0.0), unauthenticated DELETE requests can kill your entire AI serving layer or wipe running jobs — no credentials needed, exploitable via DNS rebinding from any browser. Patch to Ray 2.54.0 immediately and restrict dashboard access to localhost or a dedicated management network. There is no legitimate reason to leave the dashboard network-exposed without authentication enabled.

Risk Assessment

Medium CVSS but high operational impact in cloud and Kubernetes environments where Ray dashboards are routinely exposed for team access. CVSS 5.9 understates real-world blast radius: losing Ray Serve means total inference downtime, not degraded performance. Exploitability is trivial once network access exists — a single fetch() call with no authentication or AI knowledge required. EPSS is low (0.00036) and no active exploitation is reported, but the attack is simple enough that any motivated insider or same-network attacker would discover it independently.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ray	pip	< 2.54.0	`2.54.0`
42.4K OpenSSF 6.2 845 dependents Pushed 6d ago 78% patched ~186d to patch Full package profile →

Do you use ray? You're affected.

Severity & Risk

CVSS 3.1

5.9 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 19% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI Required

S Unchanged

C None

I Low

A High

Recommended Action

6 steps

PATCH

Upgrade all Ray deployments to 2.54.0 immediately — the fix gates DELETE on the same browser-origin middleware as POST/PUT.
NETWORK

Remove --dashboard-host=0.0.0.0; bind to 127.0.0.1 or a restricted management interface.
AUTH

Enable dashboard token authentication via --dashboard-token-length or RAY_DASHBOARD_TOKEN environment variable.
KUBERNETES

Apply NetworkPolicies restricting ports 8265 and 52365 to authorized management pods and IPs only; audit existing NodePort or LoadBalancer services exposing Ray.
DETECTION

Alert on DELETE requests to /api/serve/applications/ and /api/jobs/* from unexpected source IPs in your API gateway or service mesh logs.
AUDIT

Verify no Ray dashboard ports are reachable from the internet or untrusted VLANs in any environment.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass DoS Framework Inference AML.T0006 - Active Scanning AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - AI system access control and authorization A.6.2.6 - AI system access control

NIST AI RMF

GOVERN 6.1 - Organizational policies and procedures for AI risk MANAGE 2.4 - Residual risks are managed to acceptable levels MANAGE-2.4 - Residual risks to individuals and groups are managed

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2026-27482?

If you're running Ray with the dashboard exposed to any network (--dashboard-host=0.0.0.0), unauthenticated DELETE requests can kill your entire AI serving layer or wipe running jobs — no credentials needed, exploitable via DNS rebinding from any browser. Patch to Ray 2.54.0 immediately and restrict dashboard access to localhost or a dedicated management network. There is no legitimate reason to leave the dashboard network-exposed without authentication enabled.

Is CVE-2026-27482 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27482, increasing the risk of exploitation.

How to fix CVE-2026-27482?

1. PATCH: Upgrade all Ray deployments to 2.54.0 immediately — the fix gates DELETE on the same browser-origin middleware as POST/PUT. 2. NETWORK: Remove --dashboard-host=0.0.0.0; bind to 127.0.0.1 or a restricted management interface. 3. AUTH: Enable dashboard token authentication via --dashboard-token-length or RAY_DASHBOARD_TOKEN environment variable. 4. KUBERNETES: Apply NetworkPolicies restricting ports 8265 and 52365 to authorized management pods and IPs only; audit existing NodePort or LoadBalancer services exposing Ray. 5. DETECTION: Alert on DELETE requests to /api/serve/applications/ and /api/jobs/* from unexpected source IPs in your API gateway or service mesh logs. 6. AUDIT: Verify no Ray dashboard ports are reachable from the internet or untrusted VLANs in any environment.

What systems are affected by CVE-2026-27482?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ml ops platforms, distributed inference.

What is the CVSS score for CVE-2026-27482?

CVE-2026-27482 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

### Summary Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. ### Details - Middleware: python/ray/dashboard/http_server_head.py#get_browsers_no_post_put_middleware only checks POST/PUT via is_browser_request (UA/Origin/Sec-Fetch heuristics). DELETE is not gated. - Endpoints lacking browser protection/auth by default: - python/ray/dashboard/modules/serve/serve_head.py: @routes.delete("/api/serve/applications/") calls serve.shutdown(). - python/ray/dashboard/modules/job/job_head.py: @routes.delete("/api/jobs/{job_or_submission_id}"). - python/ray/dashboard/modules/job/job_agent.py: @routes.delete("/api/job_agent/jobs/{job_or_submission_id}") (not wrapped with deny_browser_requests either). - Dashboard token auth is optional and off by default; binding to 0.0.0.0 is common for remote access. ### PoC Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth. 1. Start Serve (or have jobs present). 2. From any browser-reachable origin (DNS rebinding or same-LAN page), issue a DELETE fetch: ``` fetch("http://<dashboard-host>:8265/api/serve/applications/", { method: "DELETE", headers: { "User-Agent": "Mozilla/5.0" } // browsers set this automatically }); ``` Result: Serve shuts down. 3) Similarly, delete jobs: ` fetch("http://<dashboard-host>:8265/api/jobs/<job_or_submission_id>", { method: "DELETE" });` ` fetch("http://<dashboard-agent>:52365/api/job_agent/jobs/<job_or_submission_id>", { method: "DELETE" });` Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed. ### Impact - Availability loss: Serve shutdown; job deletion. Triggerable via drive-by browser requests if the dashboard/agent ports are reachable and auth is disabled (default). - No code execution from this vector, but breaks isolation/trust assumptions for “developer-only” endpoints. ### Fix The fix for this vulnerability is to update to Ray 2.54.0 or higher. Fix PR: https://github.com/ray-project/ray/pull/60526

Exploitation Scenario

An attacker on the same corporate LAN — or executing a DNS rebinding attack from the internet — sets up a malicious web page. An employee visits the page while connected to a network where Ray's dashboard port 8265 is reachable. The page silently issues fetch('http://ray-cluster:8265/api/serve/applications/', {method:'DELETE'}). Ray Serve shuts down instantly, taking all AI inference endpoints offline. The attack requires zero credentials, leaves minimal traces, and executes in under 100ms. In the DNS rebinding variant, no LAN access is needed — any internet-connected employee who visits the malicious site while behind a corporate network with an exposed Ray dashboard can be the unwitting trigger, requiring no attacker presence on-premises.