{"data":{"id":"f7b3d095-f976-4909-ba8a-9a10b7e1e9f0","title":"GHSA-q5fh-2hc8-f6rq: Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)","summary":"Ray's dashboard HTTP server (a web interface for monitoring Ray clusters) doesn't block DELETE requests from browsers, even though it blocks POST and PUT requests. This allows someone on the same network or using DNS rebinding (tricking a domain to point to a local address) to shut down Serve (Ray's serving system) or delete jobs without authentication, since token-based auth is disabled by default. The attack requires no user interaction beyond visiting a malicious webpage.","solution":"Update to Ray 2.54.0 or higher. Fix PR: https://github.com/ray-project/ray/pull/60526","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-q5fh-2hc8-f6rq","publishedAt":"2026-02-20T21:15:25.000Z","cveId":"CVE-2026-27482","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["ray@< 2.54.0 (fixed: 2.54.0)"],"affectedVendors":[],"affectedVendorsRaw":["Ray"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00036,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}