The Naked AI Nervous System: Mapping Exposed Ray Clusters

We mapped the unauthenticated Ray and MLflow dashboards broadcasting live proprietary AI architecture, RAG prompts, and environment variables to the public internet. Every Ray cluster on port 8265 and every MLflow UI on port 5000 is a remote-code-execution surface waiting to happen.

Why Ray + MLflow Are the Most Dangerous Exposures in AI

• Ray Dashboard (port 8265) — the control plane for distributed Python execution. Without authentication, the dashboard's Jobs API accepts arbitrary Python from any visitor. CVE-2023-48022 (“ShadowRay”) confirmed every exposed cluster is a turn-key remote-code execution target. Environment variables, working directories, and the entire object store leak by default.
• MLflow Tracking UI (port 5000) — the registry for every model trained, every experiment run, every prompt evaluated. Unauthenticated MLflow exposes artifact paths, training data lineage, and the model binaries themselves. CVE-2024-1483 (path traversal) and CVE-2023-6831 (local file inclusion) chain into full host compromise.
• Why these defaults persist — both projects ship with no auth out-of-the-box because they are designed for trusted cluster environments. The shift to managed Kubernetes and rapid prototyping pushed these dashboards onto the public internet faster than security teams could keep up.

What an attacker actually sees

A Ray dashboard renders the cluster head's Python environment, every active worker, the entire job queue, the contents of recent task logs, and a one-click submit button for new jobs. An MLflow UI renders every registered model, every artifact path, every experiment's parameters and metrics — including the raw prompt templates a RAG pipeline shipped to production. Together they reveal the architecture, the prompts, and the secrets in one polite HTTP 200 OK.

You Cannot Stop Shadow Infrastructure. Secure Your Telemetry.

Shadow infrastructure is inevitable. Researchers ship Ray clusters in hours; product teams iterate on MLflow registries before the security team has heard the project name. EchelonGraph's Zero-Knowledge Telemetry Processing continuously maps every Ray cluster, MLflow registry, and adjacent AI orchestration surface — and proves containment without ever touching the payload. We see the control plane; your data never leaves your environment.