PT-2026-25933 · Anyscale · Ray

Indoushka

·

Published

2026-03-17

·

Updated

2026-03-18

·

CVE-2026-32981

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Ray versions prior to 2.8.1
Description A path traversal issue exists in Ray Dashboard (default port 8265). Insufficient validation and sanitization of user-supplied paths within the static file handling mechanism allows an attacker to use traversal sequences (e.g., ../) to access files outside the intended static directory, leading to local file disclosure. The vulnerable component is the static file handling mechanism. The API endpoint is not explicitly mentioned. The vulnerable parameter is the user-supplied path.
Recommendations Update to Ray version 2.8.1 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-32981
GHSA-J3MH-QMJJ-XP83
PYSEC-2026-130

Affected Products

Ray