GHSA-Q5FH-2HC8-F6RQ

Vulnerability from github – Published: 2026-02-20 21:15 – Updated: 2026-02-23 22:30
VLAI?
Summary
Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)
Details

Summary

Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.

### Details

  • Middleware: python/ray/dashboard/http_server_head.py#get_browsers_no_post_put_middleware only checks POST/PUT via is_browser_request (UA/Origin/Sec-Fetch heuristics). DELETE is not gated.
  • Endpoints lacking browser protection/auth by default:
    • python/ray/dashboard/modules/serve/serve_head.py: @routes.delete("/api/serve/applications/") calls serve.shutdown().
    • python/ray/dashboard/modules/job/job_head.py: @routes.delete("/api/jobs/{job_or_submission_id}").
    • python/ray/dashboard/modules/job/job_agent.py: @routes.delete("/api/job_agent/jobs/{job_or_submission_id}") (not wrapped with deny_browser_requests either).
  • Dashboard token auth is optional and off by default; binding to 0.0.0.0 is common for remote access.

### PoC

Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth.

  1. Start Serve (or have jobs present).
  2. From any browser-reachable origin (DNS rebinding or same-LAN page), issue a DELETE fetch:
fetch("http://<dashboard-host>:8265/api/serve/applications/", {
    method: "DELETE",
    headers: { "User-Agent": "Mozilla/5.0" }  // browsers set this automatically
  });

Result: Serve shuts down. 3) Similarly, delete jobs:

fetch("http://<dashboard-host>:8265/api/jobs/<job_or_submission_id>", { method: "DELETE" }); fetch("http://<dashboard-agent>:52365/api/job_agent/jobs/<job_or_submission_id>", { method: "DELETE" });

Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed.

### Impact

  • Availability loss: Serve shutdown; job deletion. Triggerable via drive-by browser requests if the dashboard/agent ports are reachable and auth is disabled (default).
  • No code execution from this vector, but breaks isolation/trust assumptions for “developer-only” endpoints.

Fix

The fix for this vulnerability is to update to Ray 2.54.0 or higher.

Fix PR: https://github.com/ray-project/ray/pull/60526

Severity ?
5.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ray"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.54.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-396"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-20T21:15:25Z",
    "nvd_published_at": "2026-02-21T10:16:12Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n  Ray\u2019s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can\n  issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.\n\n  ### Details\n\n  - Middleware: python/ray/dashboard/http_server_head.py#get_browsers_no_post_put_middleware only checks POST/PUT via is_browser_request (UA/Origin/Sec-Fetch heuristics). DELETE is not gated.\n  - Endpoints lacking browser protection/auth by default:\n      - python/ray/dashboard/modules/serve/serve_head.py: @routes.delete(\"/api/serve/applications/\") calls serve.shutdown().\n      - python/ray/dashboard/modules/job/job_head.py: @routes.delete(\"/api/jobs/{job_or_submission_id}\").\n      - python/ray/dashboard/modules/job/job_agent.py: @routes.delete(\"/api/job_agent/jobs/{job_or_submission_id}\") (not wrapped with deny_browser_requests either).\n  - Dashboard token auth is optional and off by default; binding to 0.0.0.0 is common for remote access.\n\n  ### PoC\n\n  Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth.\n\n  1. Start Serve (or have jobs present).\n  2. From any browser-reachable origin (DNS rebinding or same-LAN page), issue a DELETE fetch:\n\n```  \nfetch(\"http://\u003cdashboard-host\u003e:8265/api/serve/applications/\", {\n    method: \"DELETE\",\n    headers: { \"User-Agent\": \"Mozilla/5.0\" }  // browsers set this automatically\n  });\n```\n\n  Result: Serve shuts down.\n  3) Similarly, delete jobs:\n\n ` fetch(\"http://\u003cdashboard-host\u003e:8265/api/jobs/\u003cjob_or_submission_id\u003e\", { method: \"DELETE\" });`\n ` fetch(\"http://\u003cdashboard-agent\u003e:52365/api/job_agent/jobs/\u003cjob_or_submission_id\u003e\", { method: \"DELETE\" });`\n\n  Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed.\n\n  ### Impact\n\n  - Availability loss: Serve shutdown; job deletion. Triggerable via drive-by browser requests if the dashboard/agent ports are reachable and auth is disabled (default).\n  - No code execution from this vector, but breaks isolation/trust assumptions for \u201cdeveloper-only\u201d endpoints.\n  \n### Fix\nThe fix for this vulnerability is to update to Ray 2.54.0 or higher. \n\nFix PR: https://github.com/ray-project/ray/pull/60526",
  "id": "GHSA-q5fh-2hc8-f6rq",
  "modified": "2026-02-23T22:30:32Z",
  "published": "2026-02-20T21:15:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/pull/60526"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ray-project/ray"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/releases/tag/ray-2.54.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.