CVE-2026-7304
9.8 CRITICALSGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor opt...
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| lmsys | sglang |
Description
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
Source: NVD
QSearch commentary
SGLang ships two RCE vulnerabilities the same day — the framework's permissive defaults are systemic, not isolated. Any model-serving runtime that allows runtime-defined processors needs to be deployed inside a sandbox or behind a sidecar that authenticates every processor registration. We add this to the AI Security pillar's deployment checklist: assume the runtime author optimized for developer velocity, not for production-trust boundaries.
— QSearch Security Research · 2026-05-19
References
Engagement axis
This CVE class is addressed in the QSearch ai-security axis.
Learn more about this axis →Related CVEs
Same vendor
- CVE-2026-7302 — SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arb... (9.1 CRITICAL)
- CVE-2026-7301 — SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads()... (9.8 CRITICAL)
- CVE-2026-5760 — SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_temp... (9.8 CRITICAL)
Same CWE
- CVE-2026-41732 — JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly t... (8.1 HIGH)
- CVE-2026-41731 — JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, mea... (8.1 HIGH)
- CVE-2026-40993 — An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata)... (7.3 HIGH)
- CVE-2026-44963 — A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user
- CVE-2026-48560 — Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized ... (5.4 MEDIUM)