PT-2026-60483 · Sglang · Sglang

CVE-2026-14890

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions SGLang (affected versions not specified)
Description The expert-parallel backup subsystem exposes a ZeroMQ PULL socket on a routable network interface. This socket lacks authentication and deserialization safeguards, which allows an attacker to provide a malicious pickle file. This leads to unauthenticated remote code execution when the feature is enabled and the service is reachable over the network. Pickle deserialization is the process of converting a byte stream back into a Python object, which can be exploited to execute arbitrary code if the input is untrusted.
Recommendations Disable the expert-parallel backup subsystem if it is not strictly required. Restrict network access to the SGLang service and its ZeroMQ PULL socket to trusted sources only.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14890

Affected Products

Sglang