search menu icon-carat-right cmu-wordmark

CERT Coordination Center

SGLang contains a vulnerable pickle deserialization vulnerability through the expert-parallel subsystem

Vulnerability Note VU#326070

Original Release Date: 2026-07-16 | Last Revised: 2026-07-16

Overview

A Pickle deserialization vulnerability has been discovered within the SGLang project, enabling an attacker to perform remote code execution (RCE) on the target vulnerable server. In order for an attacker to exploit this vulnerability, the expert-parallel backup subsystem must be enabled, and an attacker must have network access to the SGLang service. No patch is available at this time, and no response was obtained from the project maintainers during coordination.

Description

SGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. A vulnerability has been discovered within the tool and is tracked as follows:

CVE-2026-14890
SGLang uses an expert-parallel backup subsystem designed to handle the large amount of compute and memory constraints associated with different model types. This system, when running, exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.

The vulnerability is caused by the ZeroMQ PULL socket in expert_backup_manager.py binding to an external IP address with no authentication, meaning that any process that can reach the endpoint can send a payload that eventually gets deserialized with Pickle. This vulnerability is structurally similar to CVE-2026-7301 and CVE-2026-7304 in that it enables unauthenticated remote code execution via unsafe deserialization of data through pickle.loads(), but differs by occurring in the expert-parallel backup subsystem, rather than the multimodal scheduler or custom logit processor interfaces.

Impact

If exploited, this vulnerability could allow an unauthenticated attacker to achieve remote code execution on the host running SGLang. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation.

Solution

Until a patch is available, affected users should consider the following mitigations:

Mitigations

  • Restrict access to the service interfaces and ensure they are not exposed to untrusted networks.
  • Implement network segmentation and access controls to prevent unauthorized interaction with the vulnerable endpoints.
  • Change SGLANG_USE_PICKLE_IPC to "false" within environ.py.

The SGLang maintainers have made strides in addressing pickle deserialization vulnerabilities, and have begun to work to refactor the code base with msgpack to prevent deserialization issues such as CVE-2026-14890, but the SGLANG_USE_PICKLE_IPC defaults to true within the codebase at the time of writing.

Acknowledgements

Thanks to the reporter, edwardav970@gmail.com.

This document was written by Christopher Cullen.

Vendor Information

326070
 

SGLang Unknown

Updated: 2026-07-16

CVE-2026-14890 Unknown

Vendor Statement

We have not received a statement from the vendor.


Other Information

CVE IDs: CVE-2026-14890
API URL: VINCE JSON | CSAF
Date Public: 2026-07-16
Date First Published: 2026-07-16
Date Last Updated: 2026-07-16 14:43 UTC
Document Revision: 1

Sponsored by CISA.