CVE-2026-32981 in Ray
Summary
by MITRE • 03/17/2026
A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability CVE-2026-32981 represents a critical path traversal flaw in the Ray Dashboard component that affects versions prior to 2.8.1. This issue specifically targets the static file handling mechanism within the Ray platform's web interface, which operates on the default port 8265. The Ray Dashboard serves as a crucial monitoring and management interface for distributed machine learning workloads, making this vulnerability particularly concerning for organizations relying on Ray for their computational infrastructure. The flaw stems from inadequate input validation and sanitization processes that fail to properly restrict user-supplied paths, creating an exploitable condition that allows malicious actors to navigate beyond the intended file system boundaries.
The technical implementation of this vulnerability exploits the fundamental weakness in how the Ray Dashboard processes static file requests. When users submit file paths through the web interface, the system does not adequately sanitize these inputs before resolving them against the file system. This omission enables attackers to craft malicious requests containing directory traversal sequences such as ../ or ..\ that bypass intended access controls. The vulnerability operates at the application layer and can be exploited through HTTP requests targeting the dashboard's file serving endpoints, making it particularly dangerous as it requires no special privileges or authentication to exploit. The flaw directly maps to CWE-22 Path Traversal vulnerability classification, which specifically addresses improper input validation that allows attackers to access files outside the intended directory structure.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with unauthorized access to sensitive files that may contain configuration data, credentials, or other system artifacts. In a production environment, this could expose critical infrastructure information, potentially leading to further compromise of the distributed computing platform. The vulnerability affects organizations using Ray for machine learning workloads, particularly those with exposed dashboard interfaces, as the default port 8265 creates an attack surface that may be accessible from external networks. This weakness could facilitate reconnaissance activities, enabling attackers to gather intelligence about the system configuration, software versions, and potentially identify additional vulnerabilities within the broader infrastructure ecosystem.
Organizations should immediately implement mitigations including updating to Ray version 2.8.1 or later, which contains the necessary patches to address the path traversal vulnerability. Network segmentation and firewall rules should be implemented to restrict access to the default dashboard port 8265, limiting exposure to trusted networks only. Additional protective measures include implementing proper input validation at multiple layers, deploying web application firewalls to filter malicious requests, and conducting regular security assessments of the Ray deployment. The vulnerability also highlights the importance of following secure coding practices and implementing proper access controls for web interfaces that serve static content, aligning with ATT&CK technique T1566.002 for credential access through exploitation of web application vulnerabilities. Regular monitoring and logging of file access patterns should be enabled to detect potential exploitation attempts, and security awareness training should be provided to system administrators managing Ray deployments.