Three critical vulnerabilities (CVE-2026-7301, CVE-2026-7302, CVE-2026-7304) in SGLang's multimodal generation runtime allow unauthenticated remote code execution via unsafe deserialization (pickle/dill) and arbitrary file writes via path traversal when the feature is enabled and exposed to a network. According to authoritative NVD data, related critical CVEs CVE-2026-3060 and CVE-2026-3059 affect SGLang versions 0.5.5 through 0.5.9. No patch is currently available; immediate mitigations require ensuring the SGLang service interfaces are not exposed to untrusted networks and implementing strict network segmentation.
Overview Three vulnerabilities have been discovered in the SGLang project, two enabling remote code execution (RCE), and one regarding a path traversal vulnerability. In order for an attacker to exploit these vulnerabilities, the multimodal generation mode must be enabled, and an attacker must have network access to the SGLang service. No patch is available at this time, and no response was obtained from the project maintainers during coordination. Description SGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. Three vulnerabilities have been discovered within the tool and are tracked as follows: CVE-2026-7301 The multimodal generation runtime scheduler's ROUTER socket contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet. This vulnerability is distinct from CVE-2026-3060 and CVE-2026-3059, which would be open to the Internet via the ZMQ broker, which automatically binded to all network interfaces without user awareness. CVE-2026-7301 is exposed to the internet by default through the scheduler host, which binds to 0.0.0.0 by default. CVE-2026-7302 The multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints. CVE-2026-7304 The multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation. Impact If exploited, these vulnerabilities could allow an unauthenticated attacker to achieve remote code execution or arbitrary file writes on the host running SGLang. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation. Solution Until a patch is available, affected users should consider the following mitigations: Mitigation Restrict access to the service interfaces and ensure they are not exposed to untrusted networks. Implement network segmentation and access controls to prevent unauthorized interaction with the vulnerable endpoints. Acknowledgements Thanks to the reporter, Alon Shakevsky. This document was written by Christopher Cullen. Vendor Information One or more vendors are listed for this advisory. Please reference the full report for more information. References https://github.com/sgl-project/sglang/tree/main/python/sglang https://antiproof.ai/blog/three-rces-in-sglang/ Other Information CVE IDs: CVE-2026-7302 CVE-2026-7304 CVE-2026-7301 Date Public: 2026-05-18 Date First Published: 2026-05-18 Date Last Updated: 2026-05-18 10:40 UTC Document Revision: 1 About vulnerability notes Contact us about this vulnerability Provide a vendor statement