CRITICAL🇵🇱 Wersja polska

CVE-2026-3059

CVSS 9.8v3.1pub. 2026-03-12upd. 2026-04-07

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.

🤖 AI Analysis
How it works

The ZMQ broker in the multimodal generation module (scheduler_client.py) accepts data transmitted over the network and processes it with the pickle.loads() function without prior verification of the sender's identity. Pickle deserialization allows embedding arbitrary Python code in the transmitted object, which will be executed automatically during deserialization. Since the endpoint is available over the network without authentication, any attacker with access to the ZMQ broker port can send a crafted payload and take control of the system.

Impact

An attacker can execute arbitrary code in the context of the SGLang process on the server, which in practice means complete takeover of the machine — data theft, backdoor installation, or further lateral movement in the network.

Mitigation & patch

SGLang should be updated to version v0.5.10 or later, in which the issue was fixed according to pull request #20904. As additional protection, network access to the ZMQ broker port should be restricted using a firewall so that it is accessible only from trusted hosts.

Who is affected

SGLang (Lmsys SGLang) — versions prior to v0.5.10 in which the multimodal generation module is active

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lmsys Sglang

    APP
    Lmsys
    0.5.5 – 0.5.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-7301CRITICAL9.8PL ✓ten sam produkt

RCE w SGLang przez niebezpieczną deserializację pickle na gnieździe ROUTER

CVE-2026-7302CRITICAL9.1PL ✓ten sam produkt

SGLang: path traversal umożliwiający zapis dowolnych plików bez uwierzytelnienia

CVE-2026-7304CRITICAL9.8PL ✓ten sam produkt

RCE przez niebezpieczną deserializację w SGLang (dill.loads)

CVE-2026-5760CRITICAL9.8PL ✓ten sam produkt

SGLang: RCE przez niezabezpieczony silnik Jinja2 w endpoincie reranking

CVE-2026-3060CRITICAL9.8PL ✓ten sam produkt

SGLang: nieuwierzytelnione RCE przez deserializację pickle w module disaggregation