CRITICAL🇵🇱 Wersja polska

CVE-2026-7301

CVSS 9.8v3.1pub. 2026-05-18upd. 2026-05-19

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

🤖 AI Analysis
How it works

The scheduler of the multimodal module in SGLang binds the ROUTER socket to address 0.0.0.0, which accepts connections from all network interfaces. Data sent to this socket is passed directly to the pickle.loads() function, which deserializes a Python object without any validation or authentication of the sender. An attacker can craft a malicious pickle payload and send it to the open socket, forcing arbitrary code execution in the context of the SGLang process.

Impact

An attacker gains the ability to remotely execute arbitrary code (RCE) on the server without requiring any privileges or user interaction, which can lead to complete system takeover, data theft, and violation of confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. Until updates are applied, it is recommended to restrict access to the ROUTER socket using a firewall or network rules so that the port is not accessible from untrusted networks or the public internet. SGLang should not be exposed directly to the internet without an authentication layer.

Who is affected

Lmsys SGLang product — versions indicated in the vendor references; the multimodal generation runtime scheduler component with default ROUTER socket configuration is vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lmsys Sglang

    APP
    Lmsys
    0.5.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2026-7302CRITICAL9.1PL ✓ten sam produkt

SGLang: path traversal umożliwiający zapis dowolnych plików bez uwierzytelnienia

CVE-2026-7304CRITICAL9.8PL ✓ten sam produkt

RCE przez niebezpieczną deserializację w SGLang (dill.loads)

CVE-2026-5760CRITICAL9.8PL ✓ten sam produkt

SGLang: RCE przez niezabezpieczony silnik Jinja2 w endpoincie reranking

CVE-2026-3059CRITICAL9.8PL ✓ten sam produkt

RCE w SGLang przez deserializację pickle bez uwierzytelnienia (ZMQ broker)

CVE-2026-3060CRITICAL9.8PL ✓ten sam produkt

SGLang: nieuwierzytelnione RCE przez deserializację pickle w module disaggregation