SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.
Metrics
Affected Vendors & Products
References
History
Thu, 16 Jul 2026 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Sglang
Sglang sglang |
|
| Vendors & Products |
Sglang
Sglang sglang |
Thu, 16 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network. | |
| Title | CVE-2026-14890 | |
| References |
|
Status: PUBLISHED
Assigner: certcc
Published:
Updated: 2026-07-16T16:29:23.722Z
Reserved: 2026-07-06T17:51:01.634Z
Link: CVE-2026-14890
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T17:00:02Z