CVE-2026-7669

Name of the Vulnerable Software and Affected Versions sgl-project SGLang versions prior to 0.6.0

Description A code injection issue exists in the HuggingFace Transformer Handler within the get tokenizer() function of the python/sglang/srt/utils/hf transformers utils.py file. When a caller sets the trust remote code variable to False, SGLang may silently re-invoke AutoTokenizer.from pretrained with trust remote code set to True if HuggingFace transformers v5 returns a TokenizersBackend instance. This overrides the security setting and allows a model repository containing a malicious tokenizer.py referenced via auto map in tokenizer config.json to execute arbitrary Python code in the SGLang process. This affects both tokenizer mode="auto" and tokenizer mode="slow". The attack can be executed remotely, although it is characterized by high complexity and difficult exploitability.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict the use of the get tokenizer() function or avoid loading tokenizers from untrusted model repositories.