Description
A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.
Published: 2026-03-17
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Disclosure
Action: Immediate Patch
AI Analysis

Impact

A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Because user‑supplied paths are not properly validated or sanitized in the static file handling mechanism, an attacker can supply traversal sequences such as ../ to read files outside the intended static directory. This results in local file disclosure, potentially exposing sensitive data on the host system. The weakness is classified as CWE‑22.

Affected Systems

The vulnerability affects Ray Project’s Ray software, specifically Ray Dashboard versions <=2.8.0. Any deployment of Ray on a system running a version before 2.8.1 is impacted, as indicated by the vendor’s CPE string cpe:2.3:a:anyscale:ray:*:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the near term, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation would likely require the attacker to send a crafted HTTP request to the Ray Dashboard service on port 8265, which may be reachable over the local network or exposed externally. Once the request is accepted, the attacker can read arbitrary files from the host, compromising confidentiality and potentially enabling further attacks if privileged data is disclosed.

Generated by OpenCVE AI on March 19, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated version of Ray (2.8.1 or later) to eliminate the path traversal flaw.
  • If a patch cannot be applied immediately, restrict network access to Ray Dashboard’s port 8265 to trusted hosts or internal networks only to reduce exposure.
  • Consider disabling static file serving or configuring a firewall to block requests containing traversal sequences.

Generated by OpenCVE AI on March 19, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Anyscale
Anyscale ray
CPEs cpe:2.3:a:anyscale:ray:*:*:*:*:*:*:*:*
Vendors & Products Anyscale
Anyscale ray

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ray Project
Ray Project ray
Vendors & Products Ray Project
Ray Project ray
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.
Title Ray Dashboard <= 2.8.0 Path Traversal Leading to Local File Disclosure
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Anyscale Ray
Ray Project Ray
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-17T20:28:01.758Z

Reserved: 2026-03-17T11:31:56.956Z

Link: CVE-2026-32981

cve-icon Vulnrichment

Updated: 2026-03-17T20:26:47.390Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T20:16:14.373

Modified: 2026-03-19T19:25:48.443

Link: CVE-2026-32981

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-17T19:33:50Z

Links: CVE-2026-32981 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:41Z

Weaknesses