{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/915947#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA remote code execution vulnerability has been discovered in the SGLang project, specifically in the reranking endpoint `(/v1/rerank)`. A CVE has been assigned to track the vulnerability; CVE-2026-5760. An attacker can create a malicious model for SGLang to achieve RCE. Successful exploitation could allow arbitrary code execution in the context of the SGLang service, potentially leading to host compromise, lateral movement, data exfiltration, or denial-of-service (DoS) attacks. No response was obtained from the project maintainers during coordination. \r\n\r\n### Description\r\n\r\nSGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. A vulnerability, tracked as CVE-2026-5760, has been discovered within the reranking endpoints. Using a cross-encoder model, the reranking endpoint reranks documents based on their relevance to a query.  \r\n\r\nAn attacker exploits this vulnerability by creating a malicious GPT Generated Unified Format (GGUF) model file with a crafted `tokenizer.chat_template` parameter that contains a Jinja2 server-side template injection (SSTI) payload with a trigger phrase to activate the vulnerable code path. A tokenizer.chat_template is a metadata field that defines how text is structured before being processed. The victim then downloads and loads the model in SGLang, and when a request hits the `/v1/rerank` endpoint, the malicious template is rendered, executing the attacker's arbitrary Python code on the server. This sequence of events enables the attacker to achieve remote code execution (RCE) on the SGLang server. \r\n\r\nThe vulnerability arises from the use of jinja2.Environment() without sandboxing in the `getjinjaenv()` function. This function sets up the environment for rendering Jinja2 templates, but since it lacks proper sandboxing, it fails to restrict the execution of arbitrary Python code. Consequently, when the reranking endpoint is accessed and a malicious model file containing a crafted tokenizer.chattemplate is loaded, the model can execute arbitrary commands on the server. \r\n\r\n### Impact\r\n\r\nAn attacker can create a malicious model for SGLang to achieve RCE. Successful exploitation could allow arbitrary code execution in the context of the SGLang service, potentially leading to host compromise, lateral movement, data exfiltration, or denial-of-service (DoS) attacks. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation. \r\n\r\n### Solution\r\nTo mitigate this vulnerability, it is recommended to use `ImmutableSandboxedEnvironment` instead of `jinja2.Environment()` to render the chat templates. This will prevent the execution of arbitrary Python code on the server. No response or patch was obtained during the coordination process. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, Stuart Beck. This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/915947"},{"url":"https://docs.sglang.io/basic_usage/native_api.html","summary":"https://docs.sglang.io/basic_usage/native_api.html"},{"url":"https://github.com/Stuub/SGLang-0.5.9-RCE","summary":"https://github.com/Stuub/SGLang-0.5.9-RCE"},{"url":"https://research.jfrog.com/model-threats/gguf-ssti/","summary":"https://research.jfrog.com/model-threats/gguf-ssti/"}],"title":"SGLang is vulnerable to remote code execution when rendering chat templates from a model file","tracking":{"current_release_date":"2026-04-20T13:46:04+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.36"}},"id":"VU#915947","initial_release_date":"2026-04-20 00:00:00+00:00","revision_history":[{"date":"2026-04-20T13:46:04+00:00","number":"1.20260420134604.1","summary":"Released on 2026-04-20T13:46:04+00:00"}],"status":"final","version":"1.20260420134604.1"}},"vulnerabilities":[{"title":"SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.","notes":[{"category":"summary","text":"SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment()."}],"cve":"CVE-2026-5760","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#915947"}]}],"product_tree":{"branches":[]}}