CVE-2026-32981 is a path traversal vulnerability classified under CWE-22, discovered in the Ray Dashboard component of the ray-project Ray software prior to version 2.8.1. The vulnerability stems from inadequate validation and sanitization of user-supplied file paths in the static file serving mechanism on the dashboard, which by default listens on port 8265. Attackers can exploit this flaw by crafting requests containing directory traversal sequences (e.g., '../') to escape the intended static file directory and access arbitrary files on the host system. This results in unauthorized local file disclosure, potentially exposing sensitive configuration files, credentials, or other critical data. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:H/VI:N/VA:N) reflects a high severity with a base score of 8.7, emphasizing the ease of exploitation and high confidentiality impact. Although no active exploits have been reported, the widespread use of Ray in AI and distributed computing environments makes this a significant concern. The issue was publicly disclosed on March 17, 2026, and fixed in Ray version 2.8.1. No official patch links were provided in the source data, but upgrading to the fixed version is the primary remediation step.

The primary impact of CVE-2026-32981 is unauthorized disclosure of local files on systems running vulnerable versions of Ray with the dashboard exposed. This can lead to leakage of sensitive information such as configuration files, credentials, private keys, or proprietary data, which attackers can leverage for further compromise or lateral movement. Since the vulnerability requires no authentication or user interaction, any exposed Ray Dashboard instance is at risk from remote attackers. Organizations relying on Ray for AI workloads, distributed computing, or data analytics may face data breaches, intellectual property theft, or operational disruptions. The confidentiality breach could also undermine trust and compliance with data protection regulations. Although the vulnerability does not directly enable code execution or denial of service, the information gained can facilitate more severe attacks. The scope includes all affected Ray deployments with accessible dashboards, particularly in cloud environments, research institutions, and enterprises using Ray for scalable computing.

To mitigate CVE-2026-32981, organizations should immediately upgrade Ray to version 2.8.1 or later, where the path traversal vulnerability is addressed. Until upgrades can be applied, restrict network access to the Ray Dashboard port (8265) using firewalls, VPNs, or network segmentation to limit exposure to trusted users only. Implement additional input validation and sanitization controls on any custom integrations or proxies handling Ray dashboard requests. Monitor logs for suspicious requests containing directory traversal patterns (e.g., '../') targeting the dashboard. Employ host-based intrusion detection systems to detect anomalous file access patterns. Conduct regular security assessments of Ray deployments to ensure no unauthorized file access has occurred. Educate DevOps and security teams on the risks of exposing internal dashboards without proper access controls. Finally, maintain an inventory of Ray versions in use and apply security updates promptly.