CVE-2026-41486 ray-project CVE debrief

Who should care

Organizations running Ray 2.54.0 for distributed data processing, particularly those ingesting Parquet files from external sources, untrusted data pipelines, or multi-tenant environments where users can supply data files. Data engineers, ML platform teams, and security operations centers managing Ray deployments should prioritize this patch.

Technical summary

Ray Data versions 2.54.0 to before 2.55.0 register custom Arrow extension types that deserialize metadata using cloudpickle.loads() without validation. When PyArrow reads a Parquet file with these extension types, attacker-controlled metadata triggers arbitrary code execution during schema parsing. The vulnerability requires user interaction to open a malicious file but achieves high impact across confidentiality, integrity, and availability. Patch commit c02bd31ae31996805868baa446a131a8d304525f removes the unsafe deserialization.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Ray to version 2.55.0 or later to eliminate the vulnerable deserialization path
• If immediate patching is not feasible, restrict ingestion of Parquet files to trusted sources only and implement pre-processing validation
• Audit systems for Ray 2.54.0 installations, particularly in data pipelines processing external Parquet data
• Monitor for anomalous process execution during Parquet schema parsing operations
• Review access controls on data lake and object storage repositories containing Parquet files to prevent unauthorized file placement

Evidence notes

Vulnerability confirmed in Ray 2.54.0; patched in 2.55.0. CVSS 4.0 vector indicates network attack vector with low attack complexity, attacker privileges none, user interaction required, high impact across confidentiality, integrity, and availability for both victim and subsequent systems. Weaknesses identified as CWE-94 (Improper Control of Generation of Code) and CWE-502 (Deserialization of Untrusted Data).

Official resources