@blamejs/exceptd-skills 0.13.97 → 0.13.98

package/data/atlas-ttps.json

@@ -1722,6 +1722,8 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",

package/data/attack-techniques.json

@@ -276,6 +276,7 @@
       "CVE-2023-43654",
       "CVE-2023-44467",
       "CVE-2023-48022",
+      "CVE-2023-6019",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
@@ -861,6 +862,8 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-52163",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-12987",
       "CVE-2024-13059",
       "CVE-2024-1561",
@@ -3557,6 +3560,7 @@
     "is_subtechnique": false,
     "cve_refs": [
       "CVE-2023-51449",
+      "CVE-2023-6021",
       "CVE-2024-1561",
       "CVE-2024-39722",
       "CVE-2026-34926"

package/data/cve-catalog.json

@@ -14961,6 +14961,214 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Milvus exposes port 9091 with weak default tokens and unauthenticated API access (CWE-306), enabling arbitrary expression evaluation and full unauthenticated control; fixed in 2.5.27 / 2.6.10."
   },
+  "CVE-2023-6019": {
+    "name": "Anyscale Ray Dashboard cpu_profile Command Injection RCE",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL). The Ray dashboard's cpu_profile URL parameter is passed to a system command without neutralization (CWE-78), allowing unauthenticated remote command execution on the dashboard host.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the GitHub advisory and the Anyscale Ray CVE response: an unauthenticated request to the Ray dashboard cpu_profile endpoint injects an OS command.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the Ray dashboard CVE cluster (Bishop Fox / Protect AI; Anyscale CVE response). Ray is a widely used distributed AI/ML compute framework; the abused surface is its dashboard.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; command injection in the AI compute framework's dashboard.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Coordinated disclosure with a fix in Ray 2.8.1; no confirmed in-the-wild exploitation specific to this CVE (the separate disputed Job-API issue CVE-2023-48022 is the one mass-exploited as ShadowRay).",
+    "affected": "Anyscale Ray before 2.8.1 (the dashboard cpu_profile endpoint).",
+    "affected_versions": [
+      "Anyscale Ray < 2.8.1"
+    ],
+    "vector": "Ray's dashboard exposes a cpu_profile endpoint whose URL parameter is incorporated into a system command without neutralization (CWE-78). An unauthenticated attacker who can reach the dashboard executes arbitrary OS commands on the host - distinct from the ShadowRay Job API RCE (CVE-2023-48022), and fixed (unlike ShadowRay) in Ray 2.8.1.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N - unauthenticated against a reachable Ray dashboard.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Anyscale Ray to 2.8.1 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Anyscale Ray to 2.8.1 or later, and never expose the Ray dashboard to untrusted networks (bind to loopback / authenticate via a proxy). Run Ray least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is not enforced on the Ray dashboard; an unauthenticated attacker reaches command/file endpoints.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the AI compute framework's dashboard as managed, network-exposed software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI compute dashboard's endpoints as command-injection / LFI surfaces.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI compute framework's dashboard as a privileged control plane.",
+      "DORA-Art-9": "ICT protection measures do not model dashboard RCE / LFI in an AI compute framework as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no requirement to authenticate the AI compute dashboard.",
+      "AU-ISM-1546": "Patch-application control does not single out AI compute frameworks' dashboards.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the AI compute dashboard as an unauthenticated control plane requiring auth, input neutralization, and path containment."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 31,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 26,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 31, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation for this CVE, patched in 2.8.1 (Hard Rule #3). poc_available=20 + blast_radius=26 (Ray is a widely used AI compute framework) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-6019",
+    "cwe_refs": [
+      "CWE-78"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Requests to the Ray dashboard cpu_profile endpoint with shell metacharacters in the URL parameter.",
+        "Unexpected child processes spawned by the Ray dashboard process.",
+        "Ray dashboard reachable from untrusted networks (default no auth).",
+        "Anyscale Ray < 2.8.1 with the dashboard reachable by untrusted clients - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub advisory (GHSA-h3xg-wv58-5p43) and the Anyscale Ray CVE response (https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023), plus NVD CVE-2023-6019 (CWE-78)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-6019",
+      "https://github.com/advisories/GHSA-h3xg-wv58-5p43",
+      "https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "GHSA-h3xg-wv58-5p43",
+        "url": "https://github.com/advisories/GHSA-h3xg-wv58-5p43",
+        "severity": "critical",
+        "published_date": "2023-11-16"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-6019",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6019",
+        "severity": "critical",
+        "published_date": "2023-11-16"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-78; NIST CVSS 9.8) + the Ray GitHub advisory / Anyscale CVE response. Ray dashboard flaw fixed in 2.8.1; complements the disputed ShadowRay Job-API entry (CVE-2023-48022) under the same Ray AI-compute control (NEW-CTRL-088).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Anyscale Ray's dashboard cpu_profile URL parameter is injected into a system command (CWE-78), giving unauthenticated RCE on the dashboard host; fixed in 2.8.1."
+  },
+  "CVE-2023-6021": {
+    "name": "Anyscale Ray Dashboard Log API Local File Inclusion",
+    "type": "INFO-DISCLOSURE",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NVD CVSS v3.1 base 7.5 (HIGH, confidentiality-only). Local file inclusion in the Ray dashboard log API (CWE-22; NVD also notes CWE-29) lets an unauthenticated attacker read any file on the server.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the GitHub advisory and the Anyscale Ray CVE response: an unauthenticated request to the Ray dashboard log API reads an arbitrary host file via path traversal.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the Ray dashboard CVE cluster (Bishop Fox / Protect AI; Anyscale CVE response). Ray is a widely used distributed AI/ML compute framework; the abused surface is its dashboard.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; path traversal / LFI in the AI compute framework's dashboard.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Coordinated disclosure with a fix in Ray 2.8.1; no confirmed in-the-wild exploitation specific to this CVE (the separate disputed Job-API issue CVE-2023-48022 is the one mass-exploited as ShadowRay).",
+    "affected": "Anyscale Ray before 2.8.1 (the dashboard log API).",
+    "affected_versions": [
+      "Anyscale Ray < 2.8.1"
+    ],
+    "vector": "Ray's dashboard log API endpoint resolves a caller-supplied path without restricting it to the log directory (CWE-22 path traversal / LFI). An unauthenticated attacker reads arbitrary files on the Ray host (configs, credentials, model artifacts).",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N - unauthenticated against a reachable Ray dashboard.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading Anyscale Ray to 2.8.1 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Anyscale Ray to 2.8.1 or later, and never expose the Ray dashboard to untrusted networks (bind to loopback / authenticate via a proxy). Run Ray least-privilege."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is not enforced on the Ray dashboard; an unauthenticated attacker reaches command/file endpoints.",
+      "NIST-800-53-SI-2": "Flaw-remediation cadence does not track the AI compute framework's dashboard as managed, network-exposed software.",
+      "ISO-27001-2022-A.8.8": "Vulnerability management rarely enumerates the AI compute dashboard's endpoints as command-injection / LFI surfaces.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not reach the AI compute framework's dashboard as a privileged control plane.",
+      "DORA-Art-9": "ICT protection measures do not model dashboard RCE / LFI in an AI compute framework as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no requirement to authenticate the AI compute dashboard.",
+      "AU-ISM-1546": "Patch-application control does not single out AI compute frameworks' dashboards.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats the AI compute dashboard as an unauthenticated control plane requiring auth, input neutralization, and path containment."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation for this CVE, patched in 2.8.1 (Hard Rule #3). poc_available=20 + blast_radius=22 (Ray is a widely used AI compute framework) minus patch 15.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-6021",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Ray dashboard log API requests containing path-traversal sequences (../) targeting files outside the log directory.",
+        "Reads of sensitive host files (configs, credentials) via the Ray dashboard from untrusted sources.",
+        "Ray dashboard reachable from untrusted networks (default no auth).",
+        "Anyscale Ray < 2.8.1 with the dashboard reachable by untrusted clients - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub advisory (Ray CVE cluster) and the Anyscale Ray CVE response (https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023), plus NVD CVE-2023-6021 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-6021",
+      "https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023",
+      "https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Anyscale (Ray CVE response)",
+        "advisory_id": "CVE-2023-6021",
+        "url": "https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023",
+        "severity": "high",
+        "published_date": "2023-11-16"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-6021",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6021",
+        "severity": "high",
+        "published_date": "2023-11-16"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (CWE-22; NIST CVSS 7.5) + the Ray GitHub advisory / Anyscale CVE response. Ray dashboard flaw fixed in 2.8.1; complements the disputed ShadowRay Job-API entry (CVE-2023-48022) under the same Ray AI-compute control (NEW-CTRL-088).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Anyscale Ray's dashboard log API allows path traversal to read any file on the host without authentication (CWE-22 LFI); fixed in 2.8.1."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -95,6 +95,7 @@
       "CVE-2023-38950",
       "CVE-2023-43472",
       "CVE-2023-51449",
+      "CVE-2023-6021",
       "CVE-2024-0769",
       "CVE-2024-13059",
       "CVE-2024-1561",
@@ -194,6 +195,7 @@
     "evidence_cves": [
       "CVE-2014-6278",
       "CVE-2023-39780",
+      "CVE-2023-6019",
       "CVE-2024-12987",
       "CVE-2025-11953",
       "CVE-2025-12686",

package/data/framework-control-gaps.json

@@ -38,6 +38,8 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -1391,6 +1393,8 @@
       "CVE-2023-50224",
       "CVE-2023-51449",
       "CVE-2023-52163",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0769",
       "CVE-2024-11182",
       "CVE-2024-11392",
@@ -1822,6 +1826,8 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -2451,6 +2457,8 @@
       "CVE-2023-50224",
       "CVE-2023-51449",
       "CVE-2023-52163",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-0769",
       "CVE-2024-11182",
@@ -3745,6 +3753,8 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-4889",
       "CVE-2024-6587",
       "CVE-2025-64513",
@@ -4963,6 +4973,8 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -5594,6 +5606,8 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-0132",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -5922,6 +5936,8 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-6019",
+      "CVE-2023-6021",
       "CVE-2024-1709",
       "CVE-2024-4889",
       "CVE-2024-6587",

package/data/zeroday-lessons.json

@@ -7633,6 +7633,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2023-6019": {
+    "name": "Anyscale Ray Dashboard cpu_profile Command Injection RCE",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Anyscale Ray's dashboard (CWE-78 command injection via the dashboard cpu_profile parameter) lets an unauthenticated attacker execute OS commands on the dashboard host. The dashboard has no authentication by default.",
+      "privileges_required": "none (NVD AV:N / PR:N) - unauthenticated against a reachable dashboard",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the dashboard of Ray, a widely used distributed AI/ML compute framework. The lesson reinforces the ShadowRay one: the AI compute control plane (dashboard, job API) must authenticate every caller and never be network-exposed - a single dashboard endpoint flaw is unauthenticated RCE or arbitrary file read on the cluster. These were patched in Ray 2.8.1 (unlike the disputed Job-API ShadowRay issue)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the Ray dashboard; unauthenticated callers reach command/file endpoints."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the AI compute framework's dashboard as managed, network-exposed software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the AI compute dashboard as an unauthenticated control plane requiring auth, input neutralization, and path containment."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "AI compute clusters expose dashboards on trusted-network assumptions; the dashboard's endpoints are not audited for injection / path traversal.",
+      "theater_pattern": "controlled_network_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-088",
+        "name": "AI-COMPUTE-CONTROL-PLANE-AUTHENTICATION",
+        "description": "An AI compute framework's control plane (Ray dashboard, job API, log/profile endpoints) must authenticate every caller and never be exposed to untrusted networks; 'deploy only on a trusted network' is an assumption, not a control. Upgrade Anyscale Ray to 2.8.1 or later (fixes the dashboard cpu_profile command injection and log-API LFI), bind the dashboard to loopback or front it with an authenticating proxy, and run least-privilege. The distinguishing test: from the network, hit the dashboard cpu_profile and log API unauthenticated on a staging cluster and confirm both are refused.",
+        "evidence": "https://github.com/advisories/GHSA-h3xg-wv58-5p43",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-6021": {
+    "name": "Anyscale Ray Dashboard Log API Local File Inclusion",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Anyscale Ray's dashboard (CWE-22 path traversal / LFI in the dashboard log API) lets an unauthenticated attacker read arbitrary host files. The dashboard has no authentication by default.",
+      "privileges_required": "none (NVD AV:N / PR:N) - unauthenticated against a reachable dashboard",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The abused surface is the dashboard of Ray, a widely used distributed AI/ML compute framework. The lesson reinforces the ShadowRay one: the AI compute control plane (dashboard, job API) must authenticate every caller and never be network-exposed - a single dashboard endpoint flaw is unauthenticated RCE or arbitrary file read on the cluster. These were patched in Ray 2.8.1 (unlike the disputed Job-API ShadowRay issue)."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is not enforced on the Ray dashboard; unauthenticated callers reach command/file endpoints."
+      },
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Does not track the AI compute framework's dashboard as managed, network-exposed software."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats the AI compute dashboard as an unauthenticated control plane requiring auth, input neutralization, and path containment."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 72,
+      "basis": "AI compute clusters expose dashboards on trusted-network assumptions; the dashboard's endpoints are not audited for injection / path traversal.",
+      "theater_pattern": "controlled_network_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-088",
+        "name": "AI-COMPUTE-CONTROL-PLANE-AUTHENTICATION",
+        "description": "An AI compute framework's control plane (Ray dashboard, job API, log/profile endpoints) must authenticate every caller and never be exposed to untrusted networks; 'deploy only on a trusted network' is an assumption, not a control. Upgrade Anyscale Ray to 2.8.1 or later (fixes the dashboard cpu_profile command injection and log-API LFI), bind the dashboard to loopback or front it with an authenticating proxy, and run least-privilege. The distinguishing test: from the network, hit the dashboard cpu_profile and log API unauthenticated on a staging cluster and confirm both are refused.",
+        "evidence": "https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SI-2",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2026-0766": {
     "name": "Open WebUI Tool Module Code Injection RCE",
     "lesson_date": "2026-05-25",