{
  "threat_severity" : "Important",
  "public_date" : "2026-03-17T19:33:50Z",
  "bugzilla" : {
    "description" : "ray: Ray Dashboard Path Traversal Leading to Local File Disclosure",
    "id" : "2448440",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2448440"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure.", "A path traversal flaw has been identified in Ray Dashboard in the Ray Pypi package. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the intended static directory, resulting in local file disclosure." ],
  "affected_release" : [ {
    "product_name" : "Red Hat AI Inference Server 3.2",
    "release_date" : "2026-03-25T00:00:00Z",
    "advisory" : "RHSA-2026:5809",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9",
    "package" : "rhaiis/vllm-cuda-rhel9:1774351144"
  }, {
    "product_name" : "Red Hat AI Inference Server 3.2",
    "release_date" : "2026-04-07T00:00:00Z",
    "advisory" : "RHSA-2026:6761",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9",
    "package" : "rhaiis/model-opt-cuda-rhel9:1774547384"
  }, {
    "product_name" : "Red Hat AI Inference Server 3.2",
    "release_date" : "2026-04-07T00:00:00Z",
    "advisory" : "RHSA-2026:6762",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9",
    "package" : "rhaiis/vllm-rocm-rhel9:1775252598"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9:1778677779"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9:1778677692"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9:1778677701"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9:1778677741"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9:1778677767"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9:1778677718"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9:1778677716"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9:1778677734"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9:1778677667"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9:1778677717"
  }, {
    "product_name" : "Red Hat OpenShift AI 3.3",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19712",
    "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9",
    "package" : "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9:1778677722"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-aws-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-azure-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-gcp-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-agent-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-controller-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-router-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kserve-storage-initializer-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-vllm-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-vllm-gaudi-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32981\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32981\nhttps://github.com/ray-project/ray\nhttps://packetstorm.news/files/id/215801/\nhttps://www.vulncheck.com/advisories/ray-dashboard-path-traversal-leading-to-local-file-disclosure" ],
  "name" : "CVE-2026-32981",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}