CVE-2026-27482

### Summary Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. ### Details - Middleware: python/ray/dashboard/http_server_head.py#get_browsers_no_post_put_middleware only checks POST/PUT via is_browser_request (UA/Origin/Sec-Fetch heuristics). DELETE is not gated. - Endpoints lacking browser protection/auth by default: - python/ray/dashboard/modules/serve/serve_head.py: @routes.delete("/api/serve/applications/") calls serve.shutdown(). - python/ray/dashboard/modules/job/job_head.py: @routes.delete("/api/jobs/{job_or_submission_id}"). - python/ray/dashboard/modules/job/job_agent.py: @routes.delete("/api/job_agent/jobs/{job_or_submission_id}") (not wrapped with deny_browser_requests either). - Dashboard token auth is optional and off by default; binding to 0.0.0.0 is common for remote access. ### PoC Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth. 1. Start Serve (or have jobs present). 2. From any browser-reachable origin (DNS rebinding or same-LAN page), issue a DELETE fetch: ``` fetch("http://<dashboard-host>:8265/api/serve/applications/", { method: "DELETE", headers: { "User-Agent": "Mozilla/5.0" } // browsers set this automatically }); ``` Result: Serve shuts down. 3) Similarly, delete jobs: ` fetch("http://<dashboard-host>:8265/api/jobs/<job_or_submission_id>", { method: "DELETE" });` ` fetch("http://<dashboard-agent>:52365/api/job_agent/jobs/<job_or_submission_id>", { method: "DELETE" });` Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed. ### Impact - Availability loss: Serve shutdown; job deletion. Triggerable via drive-by browser requests if the dashboard/agent ports are reachable and auth is disabled (default). - No code execution from this vector, but breaks isolation/trust assumptions for “developer-only” endpoints. ### Fix The fix for this vulnerability is to update to Ray 2.54.0 or higher. Fix PR: https://github.com/ray-project/ray/pull/60526

An attacker on the same corporate LAN — or executing a DNS rebinding attack from the internet — sets up a malicious web page. An employee visits the page while connected to a network where Ray's dashboard port 8265 is reachable. The page silently issues fetch('http://ray-cluster:8265/api/serve/applications/', {method:'DELETE'}). Ray Serve shuts down instantly, taking all AI inference endpoints offline. The attack requires zero credentials, leaves minimal traces, and executes in under 100ms. In the DNS rebinding variant, no LAN access is needed — any internet-connected employee who visits the malicious site while behind a corporate network with an exposed Ray dashboard can be the unwitting trigger, requiring no attacker presence on-premises.