AI Threat Alert

CVE-2026-32981: Ray Dashboard: unauthenticated path traversal file read

GHSA-j3mh-qmjj-xp83 HIGH
Published March 17, 2026
CISO Take

Ray's distributed ML platform dashboard (port 8265, enabled by default) contains an unauthenticated path traversal vulnerability that allows any network-reachable attacker to read arbitrary files from the host without credentials or user interaction. With 872 downstream dependents and Ray widely deployed in ML training clusters, Ray Serve inference environments, and distributed data pipelines, the blast radius spans a significant portion of production MLOps infrastructure. The CVSS metrics (AV:N/AC:L/PR:N/UI:N) place this firmly in the automated-scanner-reachable category, and a PacketStorm reference suggests public exploitation interest even without a formal Nuclei template. Patch to ray 2.8.1 immediately; if patching is delayed, firewall port 8265 to localhost or a trusted management VLAN and audit access logs for traversal sequences.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF PacketStorm VulnCheck

What is the risk?

High risk for any organization operating Ray-based MLOps infrastructure. The attack requires no authentication, no special privileges, and no user interaction — trivially exploitable by automated scanners. Ray dashboards are routinely deployed on internal ML cluster nodes with broad network reachability and absent authentication controls, particularly in cloud-hosted training environments where default security group configurations may expose port 8265. The 9 prior CVEs in the same package and an OpenSSF Scorecard of 5.7/10 indicate persistent security debt. Successful exploitation exposes host filesystem contents including cloud provider credentials, API keys, environment variable files, and proprietary model configurations, enabling multi-stage attacks beyond the initial file disclosure.

How does the attack unfold?

Reconnaissance
Attacker scans for exposed Ray Dashboard instances on port 8265 using Shodan, Censys, or targeted port scans against cloud CIDR ranges, identifying unauthenticated ML cluster management interfaces.
AML.T0006
Initial Access
Attacker sends an unauthenticated HTTP GET request to the Ray Dashboard static file handler with path traversal sequences (e.g., /static/../../../../etc/passwd), bypassing directory restrictions.
AML.T0049
Data Collection
Attacker iterates traversal requests to exfiltrate high-value files: cloud credential files (~/.aws/credentials), .env configs, Kubernetes service account tokens, and environment variables containing API keys.
AML.T0037
Impact
Harvested credentials enable lateral movement into cloud infrastructure (S3, GCS, Azure Blob), access to proprietary training datasets and model artifacts, or further compromise of connected ML systems.
AML.T0055

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Ray pip < 2.8.1 2.8.1
42.8K OpenSSF 5.7 872 dependents Pushed 3d ago 80% patched ~173d to patch Full package profile →

Do you use Ray? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

7 steps

  1. Patch: Upgrade ray to version 2.8.1 or later immediately — this is the only complete fix.

  2. Immediate network workaround: Bind the Ray Dashboard to 127.0.0.1 only (ray start --dashboard-host=127.0.0.1) or firewall port 8265 to localhost or a trusted management VLAN. Ray Dashboard should never be internet-exposed.

  3. Detection: Search web server and proxy logs for requests containing '../', '%2e%2e%2f', '%2e%2e/', or '..%2f' on port

  4. Alert on any static file request resolving outside the Ray static assets directory.

  5. Cloud audit: Review CloudTrail, GCP Audit Logs, or Azure Monitor for credential usage from unexpected source IPs or regions if Ray instances were internet-accessible.

  6. Credential rotation: If exposure is suspected, immediately rotate cloud access keys, API tokens, and database passwords present on affected hosts.

  7. Inventory: Use your asset inventory or 'ray status' to identify all Ray cluster head nodes and verify dashboard binding.

How is it classified?

Data Extraction Auth Bypass Framework Inference AML.T0006 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system design and development
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI value and manage risk
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-32981?

Ray's distributed ML platform dashboard (port 8265, enabled by default) contains an unauthenticated path traversal vulnerability that allows any network-reachable attacker to read arbitrary files from the host without credentials or user interaction. With 872 downstream dependents and Ray widely deployed in ML training clusters, Ray Serve inference environments, and distributed data pipelines, the blast radius spans a significant portion of production MLOps infrastructure. The CVSS metrics (AV:N/AC:L/PR:N/UI:N) place this firmly in the automated-scanner-reachable category, and a PacketStorm reference suggests public exploitation interest even without a formal Nuclei template. Patch to ray 2.8.1 immediately; if patching is delayed, firewall port 8265 to localhost or a trusted management VLAN and audit access logs for traversal sequences.

Is CVE-2026-32981 actively exploited?

No confirmed active exploitation of CVE-2026-32981 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-32981?

1. Patch: Upgrade ray to version 2.8.1 or later immediately — this is the only complete fix. 2. Immediate network workaround: Bind the Ray Dashboard to 127.0.0.1 only (`ray start --dashboard-host=127.0.0.1`) or firewall port 8265 to localhost or a trusted management VLAN. Ray Dashboard should never be internet-exposed. 3. Detection: Search web server and proxy logs for requests containing '../', '%2e%2e%2f', '%2e%2e/', or '..%2f' on port 8265. Alert on any static file request resolving outside the Ray static assets directory. 4. Cloud audit: Review CloudTrail, GCP Audit Logs, or Azure Monitor for credential usage from unexpected source IPs or regions if Ray instances were internet-accessible. 5. Credential rotation: If exposure is suspected, immediately rotate cloud access keys, API tokens, and database passwords present on affected hosts. 6. Inventory: Use your asset inventory or 'ray status' to identify all Ray cluster head nodes and verify dashboard binding.

What systems are affected by CVE-2026-32981?

This vulnerability affects the following AI/ML architecture patterns: distributed training pipelines, model serving infrastructure, ML Ops platforms, reinforcement learning environments, Ray-based agent frameworks.

What is the CVSS score for CVE-2026-32981?

CVE-2026-32981 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.13%.

What is the AI security impact?

Affected AI Architectures

distributed training pipelinesmodel serving infrastructureML Ops platformsreinforcement learning environmentsRay-based agent frameworks

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.

Exploitation Scenario

An attacker scans for exposed Ray Dashboard instances on port 8265 using Shodan, Censys, or a targeted port scan against known cloud CIDR ranges. Finding an unauthenticated dashboard, the attacker sends: GET /static/../../../../home/ubuntu/.aws/credentials HTTP/1.1. The Ray static file handler, failing to sanitize the traversal sequences, resolves the path and returns the AWS credentials file directly. The attacker pivots immediately to the AWS API using the harvested access key, enumerating S3 buckets — finding training datasets, model checkpoints, and potentially PII used in model fine-tuning. In a Kubernetes-hosted Ray deployment, the attacker reads /var/run/secrets/kubernetes.io/serviceaccount/token, gaining cluster API access and the ability to pivot to other workloads, exfiltrate further artifacts, or deploy a reverse shell via a manipulated pod spec.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
March 17, 2026
Last Modified
June 9, 2026
First Seen
June 9, 2026

Related Vulnerabilities

CRITICAL CVE-2023-6019 9.8

Ray: unauthenticated RCE via dashboard command injection

Same package: ray
CRITICAL CVE-2023-48022 9.8

Ray: unauthenticated RCE via job submission API

Same package: ray
CRITICAL CVE-2023-6021 9.3

Ray: LFI allows unauthenticated file read

Same package: ray
CRITICAL CVE-2023-6020 9.3

Ray: unauthenticated LFI exposes entire filesystem

Same package: ray
MEDIUM CVE-2025-1979 6.4

Ray: Redis password exposed via plaintext logging

Same package: ray
Back to Threat Feed