CVE-2026-32981 PUBLISHED

Ray Dashboard <= 2.8.0 Path Traversal Leading to Local File Disclosure

Assigner: VulnCheck
Reserved: 17.03.2026 Published: 17.03.2026 Updated: 17.03.2026

A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor ray-project
Product Ray
Versions Default: unaffected
  • affected from 0 to 2.8.1 (excl.)

Credits

  • indoushka finder

References

Problem Types

  • CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE