Critical RCE Vulnerability Discovered in SGLang Framework via GGUF Models

Severity: High (Score: 69.8)

Sources: Cybersecuritynews, Thehackernews, www.cve.org, github.com, Gbhackers

Summary

A remote code execution vulnerability has been identified in the SGLang framework, specifically affecting the reranking endpoint (/v1/rerank) and tracked as CVE-2026-5760. This flaw allows attackers to exploit maliciously crafted GGUF model files containing Jinja2 templates, leading to the execution of arbitrary Python code on the server. The vulnerability arises from the unsandboxed use of jinja2.Environment() in the rendering process of chat templates. Successful exploitation could result in host compromise, lateral movement, data exfiltration, or denial-of-service attacks. The issue affects deployments of SGLang that expose the vulnerable interface to untrusted networks. Despite attempts to coordinate with project maintainers, no response or patch has been issued. The severity of this vulnerability is underscored by its potential impact on enterprise AI deployments. Security researchers recommend using ImmutableSandboxedEnvironment to mitigate the risk of exploitation. Key Points: • CVE-2026-5760 allows RCE via malicious GGUF model files in SGLang. • Attackers can exploit the vulnerability through unsandboxed Jinja2 templates. • No response or patch has been provided by SGLang maintainers.

Key Entities

• Remote Code Execution (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2024-34359 (cve)
• CVE-2026-5760 (cve)
• CWE-94 - Code Injection (cwe)
• T1059.006 - Python (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1203 - Exploitation for Client Execution (mitre_attack)
• T1221 - Template Injection (mitre_attack)
• DeepSeek (tool)
• Python (tool)
• Jinja2 (tool)
• Llama-cpp-python (tool)
• GGUF (platform)
• Mistral (platform)
• Qwen (platform)
• SGLang (platform)
• Skywork (platform)
• OpenAI (company)
• Llama Drama (vulnerability)