Skip to main content

CISA issues guidance for SGLang CVE-2026 RCE and traversal

May 18, 2026

SGLang contains two remote code execution vulnerabilities and one path traversal vulnerability. The highest-level impact described is unauthenticated remote code execution or arbitrary file writes on the host running SGLang under the stated exposure and configuration conditions.

The vulnerabilities tracked in SGLang are identified as CVE-2026-7301, CVE-2026-7302, and CVE-2026-7304. For CVE-2026-7301, the multimodal generation runtime scheduler’s ROUTER socket includes a sink that calls pickle.loads() on incoming messages, enabling remote code execution when exposed to the internet. The advisory states this is distinct from CVE-2026-3060 and CVE-2026-3059, which would be open to the internet via the ZMQ broker that automatically binded to all network interfaces without user awareness, while CVE-2026-7301 is exposed to the internet by default through the scheduler host that binds to 0.0.0.0 by default. For CVE-2026-7302, the multimodal generation runtime has an unauthenticated path traversal that allows writing arbitrary files anywhere the server process has write access by including ../ sequences in the upload filename when sent to specific endpoints. For CVE-2026-7304, the multimodal generation runtime has unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, because Python objects loaded via dill.loads() will be deserialized without validation.

If exploited, these vulnerabilities could allow an unauthenticated attacker to achieve remote code execution or arbitrary file writes on the host running SGLang. The advisory further states that deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation.

No patch is available at this time, and no response was obtained from the project maintainers during coordination. The advisory also notes that for exploitation to occur, the multimodal generation mode must be enabled and an attacker must have network access to the SGLang service.

As interim guidance, it states that affected users should restrict access to the service interfaces and ensure they are not exposed to untrusted networks. It also advises implementing network segmentation and access controls to prevent unauthorized interaction with the vulnerable endpoints.