Skip to main content

Ray EUVDEUVD-2026-41089

| CVE-2026-57516 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-01 disclosure@vulncheck.com
8.6
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable data reader with no auth (PR:N) but a victim must ingest the malicious archive (UI:R); pickle deserialization yields full code execution, hence C/I/A:H and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 18:02 EUVD
Analysis Generated
Jul 01, 2026 - 17:40 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 885 pypi packages depend on ray (626 direct, 265 indirect)

Ecosystem-wide dependent count for version 2.56.0.

DescriptionCVE.org

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers on every worker that processes the malicious archive.

AnalysisAI

Remote code execution in Ray (the distributed compute/ML framework) before version 2.56.0 lets attackers run arbitrary code by feeding a malicious tar archive to the WebDataset reader. The read_webdataset() datasource invokes pickle.loads() on .pkl/.pickle entries and torch.load() with weights_only=False on .pt/.pth entries with no validation, so code executes inside every Ray remote worker that processes the archive. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious WebDataset tar with pickled payload
Delivery
Deliver archive into dataset source
Exploit
Victim job calls read_webdataset()
Execution
_default_decoder runs pickle.loads/torch.load
Persist
Arbitrary code executes on Ray workers
Impact
Cluster compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires that a Ray Data pipeline actually invokes read_webdataset() and processes an attacker-supplied tar archive containing an entry with a .pkl, .pickle, .pt, or .pth extension - this maps to the CVSS UI:A (active user interaction) requirement, meaning a victim or automated job must ingest the malicious archive. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 score is 8.6 with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, meaning network-reachable, low-complexity, no privileges, but requiring active user interaction (a victim/pipeline must actually ingest the attacker's archive) with full confidentiality, integrity and availability impact and no scope change to other systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a WebDataset tar archive containing a .pkl (or .pt) entry whose serialized payload runs a shell command via pickle's __reduce__ mechanism, then gets it into a data pipeline - for example by uploading it to a shared dataset bucket or publishing it as a public training set. When a Ray Data job calls read_webdataset() on that archive, _default_decoder() deserializes the entry and the attacker's code executes on every Ray worker that processes the shard. …
Remediation Vendor-released patch: upgrade to Ray 2.56.0 or later, which contains the fixes from pull requests https://github.com/ray-project/ray/pull/63469 and https://github.com/ray-project/ray/pull/63470. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Ray deployments and current versions in use, prioritizing production ML pipelines and distributed data processing environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy