Skip to main content

VU#326070: SGLang contains a vulnerable pickle deserialization vulnerability through the expert-parallel subsystem

SGLang contains a Pickle deserialization vulnerability that can enable remote code execution on a target host. The expert-parallel backup subsystem must be enabled, and an attacker must have network access to the SGLang service for exploitation. No patch is available at this time.

The vulnerability is tracked as CVE-2026-14890. SGLang includes an expert-parallel backup subsystem that, when running, exposes a ZeroMQ PULL socket on a routable network interface without authentication or deserialization safeguards. The expert_backup_manager.py file binds this ZeroMQ PULL socket to an external IP address without authentication, so any process able to reach the endpoint can send a payload that eventually gets deserialized with Pickle. The vulnerability is structurally similar to CVE-2026-7301 and CVE-2026-7304, in that it enables unauthenticated remote code execution via unsafe deserialization using pickle.loads(), but differs because it occurs in the expert-parallel backup subsystem rather than the multimodal scheduler or custom logit processor interfaces.

If exploited, this vulnerability could allow an unauthenticated attacker to achieve remote code execution on the host running SGLang. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation.

Until a patch is available, affected users should consider the following mitigations: restrict access to the service interfaces and ensure they are not exposed to untrusted networks; implement network segmentation and access controls to prevent unauthorized interaction with the vulnerable endpoints; change SGLANG_USE_PICKLE_IPC to “false” within environ.py. The SGLang maintainers have begun to work to refactor the code base with msgpack to prevent deserialization issues such as CVE-2026-14890, but SGLANG_USE_PICKLE_IPC defaults to true within the codebase at the time of writing.

Thanks to the reporter, [email protected]. This document was written by Christopher Cullen. References include https://github.com/sgl-project/sglang/issues/29465, https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/elastic_ep/expert_backup_manager.py, https://www.kb.cert.org/vuls/id/777338, https://nvd.nist.gov/vuln/detail/CVE-2026-7304, https://nvd.nist.gov/vuln/detail/CVE-2026-7301, and https://docs.python.org/3/library/pickle.html.