Fetching from the wire…
Public story · 2026-02-21 · source-backed
Disclosed today, CVE-2026-27482 (CVSS 5.9) affects Ray versions <=2.53.0. The Ray dashboard HTTP server blocks browser-origin POST and PUT but fails to cover DELETE. If the dashboard is network-reachable, unauthenticated DELETE requests can shut down Ray Serve or delete running jobs via DNS rebinding. Patched in Ray 2.54.0. This joins a pattern of AI infrastructure components with weak authentication on management interfaces.
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / What happened next
Both cover CVE, CVSS, POST; overlapping topics (authentication, cvss); picks up the CVE thread on 2026-03-25.
Both cover CVE, CVSS, Patched; overlapping topics (authentication, cvss); picks up the CVE thread on 2026-02-27.
Shared entities / Same source domain / Earlier coverage
Both cover CVE, CVSS, Patched; reported by the same outlet (advisories.gitlab.com); earlier CVE coverage from 2026-02-20.
Shared entities / What happened next / Tension
Both cover CVE, CVSS, HTTP; picks up the CVE thread on 2026-03-23; pushes against this story (against).
Shared entities / Shared topic / What happened next
Both cover CVE, CVSS; overlapping topics (cvss, disclosed, infrastructure); picks up the CVE thread on 2026-03-22.
Both cover CVE, CVSS; overlapping topics (authentication, component, cvss); picks up the CVE thread on 2026-03-03.
Shared entities / What happened next
Both cover CVE, CVSS, POST; picks up the CVE thread on 2026-06-08.
Both cover CVE, CVSS, Post; picks up the CVE thread on 2026-04-03.