Unauthenticated DELETE Vulnerability in Ray AI Compute Engine
CVE-2026-27482

5.9MEDIUM

Key Information:

Vendor

Ray-project

Status
Ray
Vendor
CVE Published:
21 February 2026

What is CVE-2026-27482?

The Ray AI Compute Engine, in versions up to 2.53.0, exhibits a vulnerability where the dashboard HTTP server allows unauthenticated DELETE requests. This occurs because the DELETE endpoints are not sufficiently secured, creating the risk of malicious actors issuing commands that could terminate services or delete jobs without user consent. To mitigate this, users are strongly advised to update to version 2.54.0 or later, which addresses this security concern.

Affected Version(s)

ray < 2.54.0

References

https://github.com/ray-project/ray/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/ray-project/ray/pull/60526
x_refsource_MISC
https://github.com/ray-project/ray/commit/0fda8b824cdc9dc...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.