PT-2026-60483 · Sglang · Sglang
CVE-2026-14890
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
SGLang (affected versions not specified)
Description
The expert-parallel backup subsystem exposes a ZeroMQ PULL socket on a routable network interface. This socket lacks authentication and deserialization safeguards, which allows an attacker to provide a malicious pickle file. This leads to unauthenticated remote code execution when the feature is enabled and the service is reachable over the network. Pickle deserialization is the process of converting a byte stream back into a Python object, which can be exploited to execute arbitrary code if the input is untrusted.
Recommendations
Disable the expert-parallel backup subsystem if it is not strictly required.
Restrict network access to the SGLang service and its ZeroMQ PULL socket to trusted sources only.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sglang