CVE-2026-57516
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
Ray prior to version 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader. An attacker can achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers.
Risk Assessment
The risk for the organization includes full compromise of the Ray cluster by a remote attacker, potentially leading to data theft, service disruption, or lateral movement within the infrastructure.
Recommendation
Upgrade Ray to version 2.56.0 or later immediately. If an upgrade is not possible, restrict access to the read_webdataset() function to trusted data sources only.
Original NVD description (English source)
Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers on every worker that processes the malicious archive.

