SGLang Three Unauthenticated RCEs (CVE-2026-7301/7302/7304)

AI relevance: SGLang is a widely-deployed open-source framework for serving LLMs and multimodal models — any production inference endpoint running these CVEs gives attackers unauthenticated remote code execution on the model-serving host.

• CVE-2026-7301 (CVSS 9.8) — pickle deserialization RCE. The multimodal generation runtime's scheduler binds a ZeroMQ ROUTER socket and calls pickle.loads() on incoming messages without validation. SGLang's own installation docs and Docker Compose deploy with --host 0.0.0.0, making the socket reachable in standard setups.
• CVE-2026-7302 (CVSS 9.1) — arbitrary file write via path traversal. The /v1/images/edits and /v1/videos endpoints use a client-supplied multipart filename directly in the target path with no sanitization, enabling ../ traversal to write files anywhere the process can reach.
• CVE-2026-7304 (CVSS 9.8) — RCE via custom logit processor. When --enable-custom-logit-processor is set (recommended in SGLang docs for DeepSeek-R1 and GLM-4 serving), the generation endpoint loads untrusted Python objects via dill.loads().
• All three vulnerabilities are discoverable and exploitable without authentication. Two involve unsafe Python deserialization — a class Python's own documentation explicitly warns against.
• No official patch is available as of publication. Antiproof coordinated disclosure through CERT/CC (VU#777338) and the vendor did not respond during coordination.
• CVSS scores are Antiproof's own assessment. Affected versions span v0.4.1.post7+ for CVE-2026-7304 and v0.5.5+ for the other two.

Why it matters

SGLang powers production inference endpoints for Qwen, DeepSeek, Mistral, and other frontier models. The combination of an internet-facing scheduler socket, unchecked file uploads, and a documented-but-unsafe custom-processor flag means default-recommended deployments are directly exploitable. Unlike web application flaws, these are RCE primitives on the actual model-serving infrastructure — the same hosts holding model weights, API keys, and training data.

What to do

• If you run SGLang multimodal generation, block external access to the scheduler socket and the HTTP API at the network layer immediately.
• Remove --enable-custom-logit-processor unless absolutely required; this flag is the sole precondition for CVE-2026-7304.
• Never bind --host 0.0.0.0 on inference servers; use a reverse proxy with authentication for any external exposure.
• Monitor the SGLang repository and CERT/CC VU#777338 for patch announcements.
• Audit any SGLang instances for evidence of compromise — check for unexpected files written outside the uploads directory.

Sources

• Antiproof — Three Remote Code Execution vulnerabilities in SGLang
• CERT/CC VU#777338 — SGLang RCE and path traversal vulnerabilities
• TheHackerWire — SGLang's RCE: Exposed ROUTER Socket and Pickle Deserialization
• TheHackerWire — SGLang's RCE via Unvalidated Deserialization (CVE-2026-7304)