Back

Critical RCE and Path Traversal Vulnerabilities Found in SGLang Framework

Severity: High (Score: 69.0)

Sources: antiproof.ai, www.cve.org, Kb.Cert

Published: 2026-05-18 · Updated: 2026-05-19

Keywords: sglang, three, remote, code, execution, path, traversal

Severity indicators: remote code execution, rce, path traversal, ot

Summary

Three vulnerabilities have been identified in the SGLang framework, including two remote code execution (RCE) vulnerabilities and one path traversal vulnerability. These flaws allow unauthenticated attackers to execute arbitrary code or write files on affected systems. The vulnerabilities are tracked as CVE-2026-7301, CVE-2026-7302, and CVE-2026-7304, all published on 2026-05-18. Exploitation requires network access to the SGLang service, particularly when the multimodal generation mode is enabled. No patches are currently available, and the maintainers have not responded to disclosure attempts. The vulnerabilities stem from unsafe deserialization and improper handling of file uploads. Deployments exposing the affected interfaces to untrusted networks are at the highest risk. Security professionals are advised to monitor their systems closely until a patch is released. Key Points: • Three critical vulnerabilities in SGLang allow RCE and path traversal attacks. • CVE-2026-7301 and CVE-2026-7304 enable RCE via unsafe deserialization. • No patches are available, and affected users should implement mitigations.

Detailed Analysis

**Impact** Organizations deploying SGLang for serving large language and multimodal AI models, including sectors using Qwen, DeepSeek, Mistral, and Skywork models, are affected globally. Exploitation allows unauthenticated attackers to execute remote code or write arbitrary files on hosts running SGLang, potentially compromising AI service integrity and underlying infrastructure. Deployments exposing affected interfaces to untrusted networks face the highest risk, with no patches currently available. The vulnerabilities threaten operational continuity and data confidentiality in AI service environments. **Technical Details** Three vulnerabilities include two remote code execution (RCE) flaws (CVE-2026-7301, CVE-2026-7304) and one path traversal issue (CVE-2026-7302). Attackers exploit unsafe deserialization via pickle.loads() and dill.loads() in the multimodal generation runtime, targeting exposed ZeroMQ ROUTER and REP sockets bound to all interfaces by default or through the --enable-custom-logit-processor flag. The path traversal vulnerability allows arbitrary file writes via unsanitized multipart upload filenames. Exploits require network access to SGLang services with multimodal generation enabled. No malware or specific IOCs were reported. **Recommended Response** Do not expose SGLang service interfaces to untrusted networks and disable the --enable-custom-logit-processor flag if enabled. Monitor network traffic for suspicious ZeroMQ activity and unauthorized file uploads containing path traversal sequences. Apply network segmentation and firewall rules to restrict access to SGLang endpoints. No official patches are available; maintain vigilance for vendor updates and coordinate with CERT/CC advisories.

Source articles (5)

  • VU#777338: SGLang contains two remote code execution and one path traversal vulnerability — Kb.Cert · 2026-05-18
    Three vulnerabilities have been discovered in the SGLang project, two enabling remote code execution (RCE), and one regarding a path traversal vulnerability. In order for an attacker to exploit these…
  • Three Rces In Sglang — antiproof.ai · 2026-05-18
    SGLang is a widely-used open-source framework for serving large language models and multimodal AI models. Antiproof identified three vulnerabilities in SGLang that allow an unauthenticated attacker to…
  • CVE-2026-7301 — www.cve.org · 2026-05-18
  • CVE-2026-7302 — www.cve.org · 2026-05-18
  • CVE-2026-7304 — www.cve.org · 2026-05-18

Timeline

  • 2026-03-12 — CVE-2026-3059 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-03-12 — CVE-2026-3060 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-18 — CVE-2026-7301 published: RCE vulnerability in SGLang's multimodal generation runtime scheduler due to unsafe deserialization.
  • 2026-05-18 — CVE-2026-7302 published: Path traversal vulnerability allowing arbitrary file writes via unsanitized upload filenames.
  • 2026-05-18 — CVE-2026-7304 published: RCE vulnerability when using the --enable-custom-logit-processor option due to unsafe deserialization.
  • 2026-05-18 — Vulnerabilities disclosed: Antiproof disclosed three vulnerabilities to SGLang and coordinated with CERT/CC.

CVEs

  • CVE-2026-3059
  • CVE-2026-3060
  • CVE-2026-7301
  • CVE-2026-7302
  • CVE-2026-7304

Related entities

  • Path Traversal (Vulnerability)
  • Remote Code Execution (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-22 - Path Traversal (Cwe)
  • Cwe-502 - Deserialization Of Untrusted Data (Cwe)
  • T1059.006 - Python (Mitre Attack)
  • AWS SageMaker (Platform)
  • SkyPilot (Platform)
  • Docker (Tool)
  • Python (Tool)
  • Dill (Tool)
  • Pickle (Tool)
  • OpenAI (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed