CVE-2026-27482: Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)
Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., –dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.
References
- github.com/advisories/GHSA-q5fh-2hc8-f6rq
- github.com/ray-project/ray
- github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4
- github.com/ray-project/ray/pull/60526
- github.com/ray-project/ray/releases/tag/ray-2.54.0
- github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq
- nvd.nist.gov/vuln/detail/CVE-2026-27482
Code Behaviors & Features
Detect and mitigate CVE-2026-27482 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →