PYSEC-2026-515

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/ray/PYSEC-2026-515.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-515
Aliases
Published
2026-06-29T11:50:43.503653Z
Modified
2026-07-01T20:23:03.577472Z
Severity
  • 9.3 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Ray Path Traversal vulnerability
Details

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

References

Affected packages

PyPI / ray

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.1

Affected versions

0.*
0.1.1
0.1.2
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.4.0
0.5.0
0.5.2
0.5.3
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.11.1
1.12.0
1.12.1
1.13.0
2.*
2.0.0
2.0.1
2.1.0
2.2.0
2.3.0rc0
2.3.0
2.3.1
2.4.0
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0rc0
2.7.0
2.7.1
2.7.2
2.8.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/ray/PYSEC-2026-515.yaml"