{"vuid":"VU#326070","idnumber":"326070","name":"SGLang contains a vulnerable pickle deserialization vulnerability through the expert-parallel subsystem","keywords":null,"overview":"### Overview\r\nA [Pickle deserialization](https://docs.python.org/3/library/pickle.html) vulnerability has been discovered within the [SGLang project](https://github.com/sgl-project/sglang), enabling an attacker to perform remote code execution (RCE) on the target vulnerable server. In order for an attacker to exploit this vulnerability, the expert-parallel backup subsystem must be enabled, and an attacker must have network access to the SGLang service. No patch is available at this time, and no response was obtained from the project maintainers during coordination.\r\n\r\n### Description\r\nSGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. A vulnerability has been discovered within the tool and is tracked as follows: \r\n\r\n**CVE-2026-14890**\r\nSGLang uses an expert-parallel backup subsystem designed to  handle the large amount of compute and memory constraints associated with different model types. This system, when running, exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.\r\n\r\nThe vulnerability is caused by the ZeroMQ PULL socket in [expert_backup_manager.py ](https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/elastic_ep/expert_backup_manager.py) binding to an external IP address with no authentication, meaning that any process that can reach the endpoint can send a payload that eventually gets deserialized with Pickle. This vulnerability is structurally similar to [CVE-2026-7301 ](https://nvd.nist.gov/vuln/detail/CVE-2026-7301) and [CVE-2026-7304](https://nvd.nist.gov/vuln/detail/CVE-2026-7304) in that it enables unauthenticated remote code execution via unsafe deserialization of data through pickle.loads(), but differs by occurring in the expert-parallel backup subsystem, rather than the multimodal scheduler or custom logit processor interfaces.\r\n\r\n### Impact\r\nIf exploited, this vulnerability could allow an unauthenticated attacker to achieve remote code execution on the host running SGLang. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation.\r\n\r\n### Solution\r\nUntil a patch is available, affected users should consider the following mitigations:\r\n\r\n#### Mitigations\r\n* Restrict access to the service interfaces and ensure they are not exposed to untrusted networks.\r\n* Implement network segmentation and access controls to prevent unauthorized interaction with the vulnerable endpoints.\r\n* Change SGLANG_USE_PICKLE_IPC to \"false\" within `environ.py`.\r\n\r\nThe SGLang maintainers have made strides in addressing pickle deserialization vulnerabilities, and have begun to work to [refactor the code base with msgpack to prevent deserialization issues](https://github.com/sgl-project/sglang/issues/29465) such as CVE-2026-14890, but the SGLANG_USE_PICKLE_IPC defaults to true within the codebase at the time of writing.\r\n\r\n### Acknowledgements\r\nThanks to the reporter, edwardav970@gmail.com.\r\n\r\nThis document was written by Christopher Cullen.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://github.com/sgl-project/sglang/issues/29465","https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/elastic_ep/expert_backup_manager.py","https://www.kb.cert.org/vuls/id/777338","https://nvd.nist.gov/vuln/detail/CVE-2026-7304","https://nvd.nist.gov/vuln/detail/CVE-2026-7301","https://docs.python.org/3/library/pickle.html"],"cveids":["CVE-2026-14890"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-07-16T14:43:27.060924Z","publicdate":"2026-07-16T14:43:26.927845Z","datefirstpublished":"2026-07-16T14:43:27.079795Z","dateupdated":"2026-07-16T14:43:26.927842Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":219}