ThreatCluster

Critical Remote Code Execution Vulnerabilities in SGLangs Runtime

First seen 16 Jul 2026, 16:12 UTC nvd.nist.gov 73% similarity 67

Article Content

Browse articles
ThreatCluster

Two critical vulnerabilities, CVE-2026-7304 and CVE-2026-7301, have been identified in the SGLangs multimodal generation runtime. Both vulnerabilities, published on 2026-05-18, allow unauthenticated remote code execution (RCE) under specific conditions. CVE-2026-7304 exploits the --enable-custom-logit-processor option, where Python objects are deserialized without validation. CVE-2026-7301 involves the scheduler's ROUTER socket binding to 0.0.0.0 by default, allowing RCE when exposed to the internet. These vulnerabilities affect systems using SGLangs runtime, potentially impacting a wide range of applications. As of today, no patches or mitigations have been reported, leaving systems vulnerable to exploitation.

Key Points: • CVE-2026-7304 and CVE-2026-7301 allow unauthenticated remote code execution in SGLangs runtime. • Both vulnerabilities were published on 2026-05-18 and remain unpatched as of 2026-07-16. • Exploitation could lead to severe impacts on systems using the SGLangs multimodal generation runtime.

ThreatCluster AI

Timeline

2026-05-18
CVE-2026-7304 published
SGLangs runtime vulnerability allows unauthenticated RCE via unvalidated deserialization.
nvd.nist.gov
2026-05-18
CVE-2026-7301 published
SGLangs runtime scheduler vulnerability enables RCE when ROUTER socket binds to 0.0.0.0.
nvd.nist.gov
2026-07-16
Current status of vulnerabilities
No patches or mitigations have been released for CVE-2026-7304 and CVE-2026-7301, leaving systems exposed.
nvd.nist.gov

Community

Browse all →