Arbitrary Code Execution Vulnerability in Ray AI Compute Engine
CVE-2026-41486

8.9HIGH

Key Information:

Vendor

Ray-project

Status
Ray
Vendor
CVE Published:
8 May 2026

What is CVE-2026-41486?

The Ray AI Compute Engine has a vulnerability where, prior to version 2.55.0, it registers custom Arrow extension types in PyArrow. This misconfiguration allows arbitrary code execution when PyArrow processes Parquet files containing these extension types. By exploiting this flaw, malicious actors could execute arbitrary code on the server during schema parsing of such files, posing a significant risk to the integrity of the system. The issue has been effectively addressed in version 2.55.0.

Affected Version(s)

ray >= 2.54.0, < 2.55.0

References

https://github.com/ray-project/ray/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/ray-project/ray/pull/62056
x_refsource_MISC
https://github.com/ray-project/ray/commit/c02bd31ae319968...
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.