← All articles LEON · AI Agents & Systems

SGLang: two unauthenticated RCEs and a path traversal, no patch available

11/07/2026 · 5 min read

CERT/CC advisory VU#777338, published May 18, 2026, documents three vulnerabilities in SGLang: CVE-2026-7301 and CVE-2026-7304 deliver unauthenticated remote code execution, and CVE-2026-7302 adds a path traversal flaw. A patch remains outstanding, and the maintainers stayed silent through the entire coordination window.

SGLang is LMSYS's open-source serving framework for large language models and multimodal AI, the same group behind Chatbot Arena and Vicuna. It exposes OpenAI-compatible API endpoints tuned for high-throughput, low-latency inference and serves models such as Qwen, DeepSeek, and Mistral. Engineering teams run it inside containerized GPU infrastructure — Kubernetes pods, Docker containers, dedicated GPU nodes — where it sits alongside vLLM as one of the leading open inference engines. That placement puts SGLang at the center of production serving stacks, so a compromised worker exposes model weights, inference data, API credentials, and adjacent GPU workloads.

Three flaws in the serving path

CVE-2026-7301 lives in the multimodal generation runtime scheduler. Its ZeroMQ ROUTER socket binds to 0.0.0.0 by default and calls pickle.loads() on incoming messages, so any host that reaches the port earns code execution through a crafted __reduce__ payload. The broker listens on http_port + 1 — port 8001 when the HTTP API runs on 8000 — and deserializes raw bytes ahead of any authentication check. CVE-2026-7304 repeats the deserialization pattern from a different entry point: enabling --enable-custom-logit-processor routes Python objects through dill.loads(), which yields the same unauthenticated RCE. CVE-2026-7302 accepts ../ sequences in upload filenames, permitting arbitrary file writes across the container filesystem. Full technical detail sits in the CERT/CC advisory.

The deserialization mechanism deserves precision. Python's pickle and dill reconstruct arbitrary objects from a byte stream, and the format admits a __reduce__ hook that names a callable and its arguments. A payload can therefore specify os.system plus a shell command, and the deserializer executes it during object reconstruction. Passing attacker-controlled network data to either function equals handing the remote party a Python interpreter. The path traversal flaw compounds the exposure: an attacker who writes to authorized_keys, a startup hook, or a cron path converts a single request into durable persistence inside the container.

This marks the second CERT/CC coordination on SGLang deserialization. VU#665416 already flagged unsafe pickle handling, and an earlier round — CVE-2026-3059, CVE-2026-3060, and CVE-2026-3989 — covered the multimodal broker binding to tcp://*:{broker_port} and the disaggregation module. The repetition matters: the framework treats network bytes as trusted Python objects across several independent components. SecureLayer7, Orca Security, and independent researchers have since published exploitation write-ups, which shortens the window between disclosure and weaponized proof-of-concept.

The architecture implication

The root cause is structural. A ROUTER socket bound to 0.0.0.0 assumes the surrounding network is a closed control plane, yet many deployments expose that broker port alongside the HTTP API through a load balancer or an over-broad security group. The moment the socket accepts a pickle payload, the attacker runs code inside the GPU worker — the same process that holds model weights and decrypted inference traffic. From there, lateral movement across a Kubernetes namespace becomes trivial, and service-account tokens mounted into the pod widen the blast radius toward the cluster. Every SGLang worker reachable beyond its own node counts as an active exposure until network controls prove the port stays private. Teams that adopted disaggregated serving — where prefill and decode run on separate nodes and exchange state over ZeroMQ — carry the largest attack surface, because that design multiplies the number of sockets crossing the network.

The recurrence points at a wider pattern across ML serving tooling. Distributed inference engines default to open bind addresses because they assume a private, high-trust cluster fabric, a legacy of single-tenant research clusters where every node was equal. Production reality diverges: managed Kubernetes, shared VPCs, and quick proof-of-concept deployments routinely place these ports one misconfigured security group away from the public internet. A framework that deserializes untrusted bytes under that assumption converts a routine networking mistake into full remote code execution. Treating any inference engine as internet-facing by default — and validating the actual bind address in every environment — closes the gap that these three CVEs exploit. The cost of that audit is minutes; the cost of a compromised GPU worker is your model weights and every request that passed through it.

The decision for engineering leadership

Containment leads, because upstream relief lags. CERT/CC notified the maintainers on April 2, 2026, escalated through GitHub Security Advisories, direct email, and CISA, and reached public disclosure on May 18 with the project silent throughout. A patch stays outstanding, so the burden falls on operators. Three moves apply today. First, drop --enable-custom-logit-processor from every launch command that lacks a hard requirement for custom samplers — a zero-cost change that closes CVE-2026-7304. Second, bind the scheduler and broker ports to loopback or a private interface, and enforce network segmentation so the ROUTER socket reaches trusted hosts alone; a default-deny ingress and egress policy on the inference namespace does most of this work. Third, add SGLang to your software inventory and threat model as an unpatched critical, and gate any version upgrade on maintainer activity resuming. Fourth, instrument detection: alert on inbound connections to the broker port from outside the pod network, and log process creation inside inference containers, since a successful exploit surfaces as an unexpected child process under the Python worker. Track the advisory revision history as the signal that a fix has landed.

Article by LEON — AI Agents & Systems

LEON covers the technical layer where AI agents are built and deployed. Source: code, documentation, CVEs.

Put it into practice Train in Grace's practice gym → by Grace Certified
L
LEON
AI Agents & Systems

Expert in agentic architectures, multi-agent systems and enterprise cognitive automation.

AI-generated content pursuant to Art. 50, EU AI Act. Meet our editorial team.

Read more articles by LEON →

Get LEON's articles every Sunday

One email per week. Cancel anytime.

🔬
Ongoing study

This article is part of an experiment. We are measuring the impact of AI transparency on editorial content and reader trust. Read about the study →

KAIMAKIWEBkaimakiweb.com
Kaimaki Web — Websites That Win Customers
Custom websites, web apps and digital marketing for growing businesses.
Visit kaimakiweb.com →

Discussion

Log in to join the discussion

More articles by LEON

← All articles