@blamejs/exceptd-skills 0.13.78 → 0.13.80

package/data/atlas-ttps.json

@@ -1525,7 +1525,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--f13dede7-12ee-5f0e-985a-4f801aecb681",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0029": {
     "id": "AML.T0029",
@@ -1573,7 +1576,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--7bbac64e-2b1d-5cb0-a442-bb7573b0a328",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0035": {
     "id": "AML.T0035",
@@ -1589,7 +1595,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--801658f2-81cd-5935-93c7-5e6e2d80e669",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0036": {
     "id": "AML.T0036",
@@ -1685,7 +1694,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--ebeed0c7-c5de-5049-8f27-efcae5f88b00",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0050": {
     "id": "AML.T0050",

package/data/attack-techniques.json

@@ -269,6 +269,7 @@
       "DS0017"
     ],
     "cve_refs": [
+      "CVE-2023-48022",
       "CVE-2024-50050",
       "CVE-2025-1094",
       "CVE-2025-11837",
@@ -825,6 +826,7 @@
       "CVE-2023-33538",
       "CVE-2023-3519",
       "CVE-2023-39780",
+      "CVE-2023-48022",
       "CVE-2023-52163",
       "CVE-2024-12987",
       "CVE-2024-1709",
@@ -965,6 +967,8 @@
       "CVE-2026-22769",
       "CVE-2026-22778",
       "CVE-2026-23760",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-25108",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -2456,6 +2460,7 @@
     "name": "Resource Hijacking",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-48022",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
     "description_full": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking may take a number of different forms. For example, adversaries may: * Leverage compute resources in order to mine cryptocurrency * Sell network bandwidth to proxy networks * Generate SMS traffic for profit * Abuse cloud-based messaging services to send large quantities of spam messages In some cases, adversaries may leverage multiple types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking 2023)",

package/data/cve-catalog.json

@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.036,
+      "current_rate": 0.035,
       "current_floor_enforced_by_test": 0.03,
       "ladder_to_target": [
         0.03,
@@ -11096,6 +11096,318 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Modular Max Server deserializes untrusted data when the experimental KVCache agent is enabled, allowing code execution; part of the ShadowMQ code-reuse family; fixed in 25.6.0."
   },
+  "CVE-2026-24207": {
+    "name": "NVIDIA Triton Inference Server Authentication Bypass (Alternate Path) RCE",
+    "type": "AUTH-BYPASS",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD/NIST CVSS v3.1 base 9.8 (CRITICAL). Unauthenticated, network-reachable authentication bypass via an alternate path or channel (CWE-288); a successful bypass can lead to code execution, privilege escalation, data tampering, DoS, or information disclosure.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in NVIDIA's May 2026 Triton Inference Server security bulletin and follow-on security reporting: an unauthenticated network request reaches Triton's control plane via an alternate path/channel that the authentication layer does not cover (CWE-288).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through NVIDIA's coordinated security bulletin (May 2026). The abused surface is the authentication layer of a widely deployed AI inference server.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported; an authentication-bypass design flaw in the inference server control plane.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor bulletin disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Triton Inference Server versions prior to r26.03.",
+    "affected_versions": [
+      "NVIDIA Triton Inference Server < 26.03"
+    ],
+    "vector": "NVIDIA Triton Inference Server exposes a control-plane path that bypasses the authentication layer (CWE-288, authentication bypass using an alternate path or channel). An unauthenticated network attacker reaches privileged functionality without credentials.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — network-reachable, unauthenticated, low-complexity.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to Triton Inference Server r26.03 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Triton Inference Server to r26.03 or later. Until then, do not expose Triton's HTTP/gRPC endpoints to untrusted networks and place it behind an authenticating reverse proxy."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification-and-authentication control is asserted for the application but not verified to cover every control-plane path of the AI inference server; an alternate path bypasses it.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference servers as managed, network-exposed control planes requiring rapid patching.",
+      "ISO-27001-2022-A.5.15": "Access-control policy does not enumerate the inference server's alternate request paths as in-scope, so an alternate path bypasses authentication.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI inference server's authentication layer as a privileged control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated bypass of an AI inference server's control plane as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for proving authentication covers every path into the inference server.",
+      "AU-ISM-1546": "Patch-application control does not single out network-exposed AI inference servers.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework requires the AI inference server's authentication to be proven complete across all request paths; an alternate-path bypass exposes the model control plane unauthenticated."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Triton is among the most widely deployed inference servers) minus patch 15. Note: unauthenticated network reachability on a critical AI control plane raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-24207",
+    "cwe_refs": [
+      "CWE-288"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Triton HTTP/gRPC requests reaching privileged control-plane endpoints (model load/unload, repository management) without a valid authentication context.",
+        "Model repository changes or inference-config changes not attributable to an authenticated operator.",
+        "Triton Inference Server below r26.03 exposed to a network reachable by untrusted clients — the exposed precondition.",
+        "Unexpected processes or model artifacts appearing on the Triton host following anomalous control-plane traffic."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-24207 (CWE-288 authentication bypass) and NVIDIA's May 2026 Triton Inference Server security bulletin (https://nvidia.custhelp.com/app/answers/detail/a_id/5828)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-24207",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5828"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5828",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-24207",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24207",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-288; NIST CVSS 9.8) + NVIDIA's May 2026 Triton Inference Server security bulletin. One of two authentication-bypass CVEs (with CVE-2026-24206) patched in r26.03.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Triton Inference Server lets an unauthenticated network attacker bypass authentication via an alternate path (CWE-288), enabling code execution and full compromise; fixed in r26.03."
+  },
+  "CVE-2026-24206": {
+    "name": "NVIDIA Triton Inference Server Authentication Bypass (Alternate Channel)",
+    "type": "AUTH-BYPASS",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD/NIST CVSS v3.1 base 9.8 (CRITICAL); NVIDIA as CNA scored it 7.3 (HIGH, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) — a documented scoring dispute. Unauthenticated, network-reachable authentication bypass via an alternate path or channel (CWE-288).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in NVIDIA's May 2026 Triton Inference Server security bulletin and follow-on security reporting: an unauthenticated network request reaches Triton's control plane via an alternate path/channel that the authentication layer does not cover (CWE-288).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed through NVIDIA's coordinated security bulletin (May 2026). The abused surface is the authentication layer of a widely deployed AI inference server.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization reported; an authentication-bypass design flaw in the inference server control plane.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Vendor bulletin disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "NVIDIA Triton Inference Server versions prior to r26.03.",
+    "affected_versions": [
+      "NVIDIA Triton Inference Server < 26.03"
+    ],
+    "vector": "NVIDIA Triton Inference Server exposes a control-plane path that bypasses the authentication layer (CWE-288, authentication bypass using an alternate path or channel). An unauthenticated network attacker reaches privileged functionality without credentials.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — network-reachable, unauthenticated, low-complexity.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is an application upgrade to Triton Inference Server r26.03 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade NVIDIA Triton Inference Server to r26.03 or later. Until then, do not expose Triton's HTTP/gRPC endpoints to untrusted networks and place it behind an authenticating reverse proxy."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification-and-authentication control is asserted for the application but not verified to cover every control-plane path of the AI inference server; an alternate path bypasses it.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track AI inference servers as managed, network-exposed control planes requiring rapid patching.",
+      "ISO-27001-2022-A.5.15": "Access-control policy does not enumerate the inference server's alternate request paths as in-scope, so an alternate path bypasses authentication.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI inference server's authentication layer as a privileged control plane.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated bypass of an AI inference server's control plane as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for proving authentication covers every path into the inference server.",
+      "AU-ISM-1546": "Patch-application control does not single out network-exposed AI inference servers.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework requires the AI inference server's authentication to be proven complete across all request paths; an alternate-path bypass exposes the model control plane unauthenticated."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3). poc_available=20 + blast_radius=26 (Triton is among the most widely deployed inference servers) minus patch 15. Note: unauthenticated network reachability on a critical AI control plane raises operational urgency beyond the RWEP number.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-24206",
+    "cwe_refs": [
+      "CWE-288"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Triton HTTP/gRPC requests reaching privileged control-plane endpoints (model load/unload, repository management) without a valid authentication context.",
+        "Model repository changes or inference-config changes not attributable to an authenticated operator.",
+        "Triton Inference Server below r26.03 exposed to a network reachable by untrusted clients — the exposed precondition.",
+        "Unexpected processes or model artifacts appearing on the Triton host following anomalous control-plane traffic."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2026-24206 (CWE-288 authentication bypass) and NVIDIA's May 2026 Triton Inference Server security bulletin (https://nvidia.custhelp.com/app/answers/detail/a_id/5828)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-24206",
+      "https://nvidia.custhelp.com/app/answers/detail/a_id/5828"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "NVIDIA Product Security",
+        "advisory_id": "NVIDIA-5828",
+        "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5828",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-24206",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24206",
+        "severity": "critical",
+        "published_date": "2026-05-20"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-288; NIST CVSS 9.8) + NVIDIA's May 2026 Triton Inference Server security bulletin. One of two authentication-bypass CVEs (with CVE-2026-24207) patched in r26.03.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "NVIDIA Triton Inference Server has a second authentication bypass (CWE-288) reachable unauthenticated over the network, enabling privilege escalation and information disclosure; fixed in r26.03. NVD scores 9.8; NVIDIA scores 7.3."
+  },
+  "CVE-2023-48022": {
+    "name": "Anyscale Ray Job Submission API Unauthenticated RCE (ShadowRay)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); NVD marks the record DISPUTED. NVD assigns CWE-918; the operational root cause is missing authorization (CWE-862) on the Ray Job Submission / Dashboard API, which accepts and runs attacker-supplied code without authentication.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit and detection content exist (e.g. github.com/jakabakos/ShadowRay-RCE-PoC-CVE-2023-48022 and a ProjectDiscovery nuclei template): an unauthenticated request to an internet-exposed Ray Dashboard / Job Submission API submits a Python payload that runs on worker nodes.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Bishop Fox and tracked at scale by Oligo Security (ShadowRay / ShadowRay 2.0). The abused surface is the Job Submission API of a widely deployed AI/ML compute framework.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the significance is that the exposed compute is AI/ML infrastructure (model weights, training data, cloud credentials) and the impact includes AI artifact theft.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Confirmed mass exploitation in the wild. Oligo's ShadowRay 2.0 campaign (active since September 2024, reported through 2026) turned exposed Ray clusters into crypto-mining botnets and exfiltrated model weights and cloud credentials; reporting counts on the order of 230,000 internet-exposed Ray environments. Not on the CISA KEV catalog because NVD lists the CVE as disputed.",
+    "affected": "Anyscale Ray (open-source distributed AI/ML compute framework). NVD records 2.6.3 and 2.8.0; the unauthenticated Job Submission / Dashboard API behavior persists across releases until network controls or token authentication (added in 2.52.0) are applied.",
+    "affected_versions": [
+      "Anyscale Ray 2.6.3",
+      "Anyscale Ray 2.8.0",
+      "Anyscale Ray (Job Submission API exposed without token auth, < 2.52.0)"
+    ],
+    "vector": "Ray's Dashboard / Job Submission API accepts a job specification containing Python code and runs it on cluster worker nodes without requiring authentication (missing authorization). An unauthenticated attacker who can reach an exposed Ray dashboard achieves remote code execution across the cluster, then harvests AI artifacts and cloud credentials and hijacks compute for crypto mining.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — network-reachable, unauthenticated, low-complexity. The precondition is an internet-exposed Ray dashboard.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No code patch — the vendor disputes this is a vulnerability and treats the open Job API as intended for trusted networks. Mitigation: never expose the Ray dashboard / Job Submission API to untrusted networks, enable token authentication (Ray 2.52.0+), and place the cluster behind network controls.",
+    "vendor_update_paths": [
+      "Do not expose the Ray dashboard / Job Submission API to untrusted networks. Enable token authentication (Ray 2.52.0 or later). Restrict the dashboard to a controlled network segment and put an authenticating proxy in front. Treat any internet-exposed Ray cluster as compromised and rotate cloud credentials and model artifacts."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is treated as out-of-scope for the Ray Job API because the vendor frames the cluster as a controlled-network deployment; in practice the API is internet-exposed and unauthenticated.",
+      "NIST-800-53-SC-7": "Boundary-protection control assumes the AI compute cluster is network-isolated; reality is hundreds of thousands of internet-exposed dashboards.",
+      "ISO-27001-2022-A.5.15": "Access-control policy does not require authentication on the AI compute framework's job API, relying on an assumed controlled network.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not address a disputed, no-patch vulnerability whose only remediation is configuration and network control.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated, actively-exploited AI compute control plane as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no requirement to authenticate the AI compute framework's job submission API.",
+      "AU-ISM-1546": "Patch-application control offers nothing for a disputed, no-patch flaw remediated only by configuration.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework rejects the 'controlled network is the security control' assumption for AI compute; an exposed, unauthenticated Job API is RCE plus AI-artifact and credential theft."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0034",
+      "AML.T0035",
+      "AML.T0025"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1496"
+    ],
+    "rwep_score": 68,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P1/High (RWEP 68, >= 60 \"patch within 72 hours\" band per lib/scoring.js timeline). poc_available=20 + active_exploitation confirmed=20 (ShadowRay 2.0 mass exploitation) + blast_radius=28 (≈230k exposed Ray environments) with no patch credit (disputed, configuration-only mitigation). Not on CISA KEV because NVD lists the CVE as disputed — a case where RWEP, not KEV or CVSS alone, captures the real-world priority.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-48022",
+    "cwe_refs": [
+      "CWE-862",
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Internet-reachable Ray dashboard (default port 8265) or Job Submission API responding without authentication.",
+        "Ray job specifications submitted from unexpected source IPs that spawn shell commands, miners, or reverse shells on worker nodes.",
+        "Outbound connections from Ray workers to mining pools or attacker infrastructure; cloud credential or model-weight egress following job submission.",
+        "Ray clusters exposed without token authentication (pre-2.52.0 default, or token auth not enabled) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2023-48022 (disputed; operational root cause missing authorization on the Ray Job Submission API), the Bishop Fox advisory (https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0), and Oligo Security's ShadowRay / ShadowRay 2.0 in-the-wild reporting. MITRE ATLAS case study AML.CS0023."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
+      "https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0",
+      "https://atlas.mitre.org/studies/AML.CS0023",
+      "https://www.darkreading.com/cyber-risk/shadowray-20-ai-clusters-crypto-botnets"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Anyscale (Ray Security)",
+        "advisory_id": "ray-security-docs",
+        "url": "https://docs.ray.io/en/latest/ray-security/index.html",
+        "severity": "critical",
+        "published_date": "2023-11-28"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-48022",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
+        "severity": "critical",
+        "published_date": "2023-11-28"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (disputed; NVD CWE-918, operational root cause CWE-862; NIST CVSS 9.8) + the Bishop Fox advisory + Oligo Security ShadowRay reporting + MITRE ATLAS case study AML.CS0023. A landmark actively-exploited AI-compute exposure that no patch addresses.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Anyscale Ray's Job Submission / Dashboard API runs attacker-supplied code without authentication; internet-exposed clusters are mass-exploited (ShadowRay 2.0) for crypto mining and AI-artifact / credential theft. Vendor-disputed, no code patch — mitigate with token auth (2.52.0+) and network isolation."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -1706,6 +1706,7 @@
       "webapp-security"
     ],
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2023-52163",
       "CVE-2024-57726",
       "CVE-2025-20362",
@@ -1819,6 +1820,7 @@
       "CVE-2021-22054",
       "CVE-2021-22175",
       "CVE-2021-39935",
+      "CVE-2023-48022",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [
@@ -2412,6 +2414,8 @@
       "CVE-2025-57819",
       "CVE-2026-1603",
       "CVE-2026-23760",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-24858"
     ],
     "last_verified": "2026-05-18",

package/data/framework-control-gaps.json

@@ -34,6 +34,7 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-50050",
       "CVE-2025-23254",
       "CVE-2025-30165",
@@ -43,6 +44,8 @@
       "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-26015",
       "CVE-2026-30616",
       "CVE-2026-30617",
@@ -1746,6 +1749,7 @@
     "status": "open",
     "opened_date": "2026-03-15",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
@@ -1760,6 +1764,8 @@
       "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -2099,6 +2105,7 @@
     "status": "open",
     "opened_date": "2026-05-01",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-40635",
       "CVE-2025-53767",
       "CVE-2026-42897"
@@ -2501,6 +2508,8 @@
       "CVE-2026-22769",
       "CVE-2026-23760",
       "CVE-2026-24061",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-2441",
       "CVE-2026-24423",
       "CVE-2026-24858",
@@ -3568,7 +3577,11 @@
     "real_requirement": "Identity controls treat AI agents as distinct principals where they execute tools; MCP plugin invocations log model decision + tool name + arguments + user identity; AI-provider service credentials are short-lived, rotated, and excluded from cleartext storage policy exceptions; passkeys/WebAuthn for human-operator-to-AI authentication where supported.",
     "status": "open",
     "opened_date": "2026-05-13",
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2023-48022",
+      "CVE-2026-24206",
+      "CVE-2026-24207"
+    ],
     "atlas_refs": [
       "AML.T0010",
       "AML.T0051"
@@ -4775,6 +4788,7 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
@@ -4787,6 +4801,8 @@
       "CVE-2026-20182",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -5341,6 +5357,7 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
@@ -5351,6 +5368,8 @@
       "CVE-2025-60455",
       "CVE-2026-22252",
       "CVE-2026-22688",
+      "CVE-2026-24206",
+      "CVE-2026-24207",
       "CVE-2026-25592",
       "CVE-2026-26015",
       "CVE-2026-30616",
@@ -5566,7 +5585,10 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
-      "CVE-2025-55241"
+      "CVE-2023-48022",
+      "CVE-2025-55241",
+      "CVE-2026-24206",
+      "CVE-2026-24207"
     ],
     "atlas_refs": [],
     "attack_refs": [
@@ -5631,8 +5653,11 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
+      "CVE-2023-48022",
       "CVE-2024-1709",
-      "CVE-2026-20182"
+      "CVE-2026-20182",
+      "CVE-2026-24206",
+      "CVE-2026-24207"
     ],
     "atlas_refs": [],
     "attack_refs": [