LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.