Anyscale Ray vulnerabilities
12 known vulnerabilities affecting anyscale/ray.
Total CVEs
12
CISA KEV
0
Public exploits
5
Exploited in wild
2
Severity breakdown
CRITICAL8HIGH2MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2023-48022P1CRITICALCVSS 9.8ExploitedPoCv2.6.3v2.8.02023-11-28
CVE-2023-48022 [CRITICAL] CWE-918 CVE-2023-48022: Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submissi
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.5
ghsanvdosv
CVE-2025-62593P2CRITICALExploited≥ 0, < 2.52.02025-11-26
CVE-2025-62593 [CRITICAL] CWE-352 Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
# Summary
Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari.
Due to the longstanding [decision](https://docs.ray.io/en/releases-2.51.1/ray-security/index.html) by the Ray Development team to n
ghsaosv
CVE-2023-6019P1CRITICALPoC≥ 0, < 2.8.12023-11-16
CVE-2023-6019 [CRITICAL] CWE-78 Ray OS Command Injection vulnerability
Ray OS Command Injection vulnerability
A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.
ghsaosv
CVE-2023-48023P2CRITICALCVSS 9.1PoCv2.6.3v2.8.02023-11-28
CVE-2023-48023 [CRITICAL] CWE-918 CVE-2023-48023: Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report
Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment
nvd
CVE-2023-6021P2CRITICALPoC≥ 0, < 2.8.12023-11-16
CVE-2023-6021 [CRITICAL] CWE-22 Ray Path Traversal vulnerability
Ray Path Traversal vulnerability
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
ghsaosv
CVE-2023-6020P2CRITICALPoC≥ 0, < 2.8.12023-11-16
CVE-2023-6020 [CRITICAL] CWE-598 Ray Missing Authorization vulnerability
Ray Missing Authorization vulnerability
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
ghsaosv
CVE-2026-41486P3HIGHCVSS 8.8v2.54.02026-05-08
CVE-2026-41486 [HIGH] CWE-94 CVE-2026-41486: Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom
Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the fiel
ghsanvd
CVE-2026-32981P3HIGHCVSS 7.5fixed in 2.8.12026-03-17
CVE-2026-32981 [HIGH] CWE-22 CVE-2026-32981: A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions p
A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file di
ghsanvd
CVE-2026-27482P3MEDIUMCVSS 6.5fixed in 2.54.02026-02-21
CVE-2026-27482 [MEDIUM] CWE-396 CVE-2026-27482: Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-o
Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that
ghsanvdosv
CVE-2025-1979P4MEDIUM≥ 0, < 2.43.02025-03-06
CVE-2025-1979 [MEDIUM] CWE-532 ray vulnerable to Insertion of Sensitive Information into Log File
ray vulnerable to Insertion of Sensitive Information into Log File
Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.
This is only exploitable if:
1) Logging is enabled
ghsaosv
CVE-2024-57000CRITICALCVSS 9.8≥ 2.9.3, ≤ 2.40.02025-02-12
CVE-2024-57000 [CRITICAL] CWE-94 Withdrawn Advisory: Command injection in Ray
Withdrawn Advisory: Command injection in Ray
# Withdrawn Advisory
This advisory is a duplicate of GHSA-6wgj-66m2-xxp2 / CVE-2023-48022.
# Original Description
An issue in Anyscale Inc Ray between v.2.9.3 and v.2.40.0 allows a remote attacker to execute arbitrary code via a crafted script.
ghsaosv
CVE-2025-34351CRITICAL≥ 0, ≤ 2.52.02025-11-27
CVE-2025-34351 [CRITICAL] CWE-1188 Ray's New Token Authentication is Disabled By Default
Ray's New Token Authentication is Disabled By Default
Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and ex
ghsaosv