Vulnerability DatabaseCVE-2026-27482

CVE-2026-27482:
Chainguard vulnerability analysis and mitigation

Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact. The fix for this vulnerability is to update to Ray 2.54.0 or higher.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

6.5

Score

Published February 21, 2026

Severity MEDIUM

CNA Score 5.9

Affected Technologies

Chainguard
Ray

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 11.8

Exploitation Probability (EPSS) N/A

Affected packages and libraries

tritonserver-backend-vllm-cuda-12.9
ray

Sources

NVD
Chainguard
- Chainguard Has FixAdded at: Feb 24, 2026
GitHub Advisory Database
- pip Severity MEDIUMHas FixAdded at: Feb 21, 2026
Homebrew
- Homebrew Severity MEDIUMHas FixAdded at: Mar 02, 2026
Minimus
- MinimOS Severity MEDIUMHas FixAdded at: Mar 17, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Chainguard vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-34543	HIGH	8.7	Wolfi	openexr	No	No	Apr 01, 2026
CVE-2026-34545	HIGH	8.4	Wolfi	OpenEXR	No	No	Apr 01, 2026
CVE-2026-34544	HIGH	8.4	Wolfi	openexr	No	No	Apr 01, 2026
CVE-2026-34529	HIGH	7.6	Wolfi	github.com/filebrowser/filebrowser/v2	No	Yes	Apr 01, 2026
CVE-2026-34530	MEDIUM	6.9	Wolfi	github.com/filebrowser/filebrowser/v2	No	Yes	Apr 01, 2026