CVE-2026-32981
Modified Modified - Updated After Analysis

Path Traversal in Ray Dashboard Allows Local File Disclosure

Vulnerability report for CVE-2026-32981, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-17

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-17
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-03-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
anyscale ray to 2.8.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32981 is a path traversal vulnerability found in Ray Dashboard versions prior to 2.8.1. It occurs because the software does not properly validate or sanitize user-supplied file paths in its static file handling mechanism. This flaw allows an attacker to use traversal sequences like "../" to navigate outside the intended static directory and access local files that should be protected.'}] [2]

Impact Analysis

This vulnerability can lead to local file disclosure, meaning an attacker can remotely access sensitive files on the system running the Ray Dashboard without any authentication or user interaction. The impact is primarily on confidentiality, as sensitive information stored in files outside the intended directory can be exposed.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Ray Dashboard to version 2.8.1 or later, as the issue is fixed in these versions.

Additionally, consider restricting access to the Ray Dashboard service (default port 8265) to trusted networks or users to reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart