{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/777338#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThree vulnerabilities have been discovered in the SGLang project, two enabling remote code execution (RCE), and one regarding a path traversal vulnerability. In order for an attacker to exploit these vulnerabilities, the multimodal generation mode must be enabled, and an attacker must have network access to the SGLang service. No patch is available at this time, and no response was obtained from the project maintainers during coordination. \r\n\r\n### Description\r\nSGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. Three vulnerabilities have been discovered within the tool and are tracked as follows:\r\n\r\n**CVE-2026-7301**\r\nThe multimodal generation runtime scheduler's ROUTER socket contains a sink that calls `pickle.loads()` on incoming messages, enabling RCE when exposed to the internet.\r\n\r\nThis vulnerability is distinct from CVE-2026-3060 and CVE-2026-3059, which would be open to the Internet via the ZMQ broker, which automatically binded to all network interfaces without user awareness. CVE-2026-7301 is exposed to the internet by default through the scheduler host, which binds to 0.0.0.0 by default. \r\n\r\n**CVE-2026-7302**\r\nThe multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including `../` sequences in the upload filename when sent to specific endpoints.\r\n\r\n**CVE-2026-7304**\r\nThe multimodal generation runtime is vulnerable to unauthenticated remote code execution when the `--enable-custom-logit-processor` option is enabled, as Python objects loaded via `dill.loads()` will be deserialized without validation.\r\n\r\n### Impact\r\nIf exploited, these vulnerabilities could allow an unauthenticated attacker to achieve remote code execution or arbitrary file writes on the host running SGLang. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation.\r\n\r\n### Solution\r\nUntil a patch is available, affected users should consider the following mitigations:\r\n#### Mitigation\r\n- Restrict access to the service interfaces and ensure they are not exposed to untrusted networks.\r\n- Implement network segmentation and access controls to prevent unauthorized interaction with the vulnerable endpoints. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, Alon Shakevsky. This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/777338"},{"url":"https://github.com/sgl-project/sglang/tree/main/python/sglang","summary":"https://github.com/sgl-project/sglang/tree/main/python/sglang"},{"url":"https://antiproof.ai/blog/three-rces-in-sglang/","summary":"https://antiproof.ai/blog/three-rces-in-sglang/"}],"title":"SGLang contains two remote code execution and one path traversal vulnerability","tracking":{"current_release_date":"2026-05-18T10:40:33+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.41"}},"id":"VU#777338","initial_release_date":"2026-05-18 10:40:33.868346+00:00","revision_history":[{"date":"2026-05-18T10:40:33+00:00","number":"1.20260518104033.1","summary":"Released on 2026-05-18T10:40:33+00:00"}],"status":"final","version":"1.20260518104033.1"}},"vulnerabilities":[{"title":"SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including .","notes":[{"category":"summary","text":"SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints."}],"cve":"CVE-2026-7302","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#777338"}]},{"title":"SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.","notes":[{"category":"summary","text":"SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation."}],"cve":"CVE-2026-7304","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#777338"}]},{"title":"SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.","notes":[{"category":"summary","text":"SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet."}],"cve":"CVE-2026-7301","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#777338"}]}],"product_tree":{"branches":[]}}