{"id":"CVE-2026-27482","summary":"Ray: Dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)","details":"Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher.","aliases":["GHSA-q5fh-2hc8-f6rq"],"modified":"2026-04-10T05:37:11.808292Z","published":"2026-02-21T09:18:26.027Z","related":["CGA-vjmx-hf4q-wm43"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27482.json","cwe_ids":["CWE-396"]},"references":[{"type":"WEB","url":"https://github.com/ray-project/ray/releases/tag/ray-2.54.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27482.json"},{"type":"ADVISORY","url":"https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27482"},{"type":"FIX","url":"https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4"},{"type":"FIX","url":"https://github.com/ray-project/ray/pull/60526"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ray-project/ray","events":[{"introduced":"0"},{"fixed":"48bd1f8fa43d0e8222b0f57357b99b48c7437ed3"}]}],"versions":["ray-0.1.0","ray-0.1.1","ray-0.1.2","ray-0.2.0","ray-0.2.1","ray-0.2.2","ray-0.3.0","ray-0.3.1","ray-0.4.0","ray-0.5.0","ray-0.5.1","ray-0.5.2","ray-0.5.3","ray-0.6.0","ray-0.6.1","ray-0.6.2","ray-0.6.3","ray-0.6.4","ray-0.6.5","ray-0.7.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27482.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H"}]}