SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 16 Jul 2026 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Sglang
Sglang sglang |
|
| Vendors & Products |
Sglang
Sglang sglang |
Thu, 16 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network. | |
| Title | CVE-2026-14890 | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: certcc
Published:
Updated: 2026-07-16T16:29:23.722Z
Reserved: 2026-07-06T17:51:01.634Z
Link: CVE-2026-14890
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T17:00:02Z
Weaknesses
No weakness.