Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1933+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14890: SGLang ZeroMQ Unauthenticated RCE via Pickle Deserialization
CVE-2026-14890: SGLang ZeroMQ Unauthenticated RCE via Pickle Deserialization

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-14890

CVE-2026-14890: SGLang ZeroMQ Unauthenticated RCE via Pickle Deserialization

A critical unauthenticated remote code execution vulnerability in the SGLang AI inference framework allows attackers to deliver malicious pickle payloads through an exposed ZeroMQ PULL socket, achieving arbitrary code execution without credentials.

Dylan H.

Security Team

July 17, 2026
4 min read

Affected Products

  • SGLang (expert-parallel mode with ZeroMQ backup subsystem)

Overview

CVE-2026-14890 is a critical remote code execution vulnerability (CVSS 9.1) affecting SGLang, an open-source AI inference and serving framework. The flaw resides in SGLang's expert-parallel execution subsystem, which exposes a ZeroMQ PULL socket on a routable network interface with no authentication or deserialization safeguards in place.

An unauthenticated attacker reachable over the network can deliver a malicious pickle-serialized object to this socket. Because Python's pickle module is inherently unsafe when deserializing untrusted data, the payload is executed with the privileges of the SGLang process — resulting in full remote code execution on the host.

Technical Details

Vulnerable Component

SGLang's expert-parallel backup subsystem uses ZeroMQ (ZMQ) as an inter-process communication layer. When expert parallelism is enabled, a PULL socket is opened and bound to a routable (non-loopback) network interface. This socket:

  • Accepts connections from any reachable host — no IP allowlist or firewall rule is enforced by the application
  • Performs no authentication — no token, certificate, or handshake is required
  • Deserializes received data using Python's pickle module — a well-known unsafe deserialization vector

Supplying a crafted pickle payload causes arbitrary Python code to execute during deserialization, before any application logic runs. This is a classic insecure deserialization pattern (OWASP A08:2021).

Attack Vector

AttributeValue
CVSS Score9.1 (Critical)
Attack VectorNetwork
Authentication RequiredNone
Privileges RequiredNone
User InteractionNone
ImpactFull RCE on host

Exploitation Scenario

  1. Attacker identifies a host running SGLang in expert-parallel mode (e.g., via port scan for the ZeroMQ PULL port)
  2. Crafts a malicious pickle payload containing arbitrary Python commands
  3. Sends the payload directly to the exposed PULL socket over the network
  4. The SGLang process deserializes the object — executing the attacker's code

No credentials, tokens, or prior access are required.

Affected Software

  • SGLang using the expert-parallel backup subsystem with ZeroMQ
  • Configurations where the PULL socket is bound to a routable (non-loopback) interface
  • The NVD advisory does not specify a patched version at time of publication — check the SGLang GitHub releases for the latest fix

Mitigation

Until a patch is applied or confirmed safe configuration is established:

  1. Firewall the ZeroMQ PULL port — block the port at the network perimeter so only trusted hosts can reach it
  2. Bind to loopback only — if possible, configure the socket to bind to 127.0.0.1 rather than 0.0.0.0 or a routable interface
  3. Do not expose SGLang inference endpoints to untrusted networks — treat the inference service as an internal component behind an authenticated API gateway
  4. Monitor for unexpected outbound connections from the SGLang process as an indicator of compromise

Why This Matters

SGLang is widely used in research and production environments to serve large language models at scale. Expert parallelism is a common deployment mode for MoE (Mixture of Experts) architectures such as Mixtral and DeepSeek. Deployments on cloud VMs or Kubernetes clusters with misconfigured network policies are at highest risk, as the ZeroMQ PULL port may be inadvertently exposed to the internet or to other tenants in a shared environment.

Pickle deserialization vulnerabilities are one of the most severe categories of security flaws in Python applications. Once exploited, attackers gain the ability to install backdoors, exfiltrate model weights and training data, pivot to internal networks, or disrupt inference services entirely.

Recommendations

  • Immediately audit all SGLang deployments using expert-parallel mode for network exposure of the ZeroMQ port
  • Apply network-level controls as a compensating control until a patch is available
  • Follow SGLang's GitHub and the NVD advisory for patch availability and apply it promptly upon release
  • Review AI/ML serving infrastructure for similar patterns — other frameworks using ZeroMQ or similar IPC mechanisms without authentication deserve scrutiny

References

  • NVD — CVE-2026-14890
  • SGLang GitHub
  • OWASP A08:2021 — Software and Data Integrity Failures
#CVE-2026-14890#SGLang#RCE#ZeroMQ#Pickle Deserialization#AI Security#Critical Vulnerability

Related Articles

CVE-2026-46339: 9Router Unauthenticated Plugin Registration & MCP Command Execution

A critical CVSS 10 vulnerability in 9Router AI router versions 0.4.30–0.4.36 allows unauthenticated attackers to register custom plugins and execute arbitrary commands via an unprotected MCP bridge endpoint.

3 min read

CVE-2026-61447: PraisonAI CodeAgent Remote Code Execution via Unsandboxed Python Execution

A CVSS 10.0 critical vulnerability in PraisonAI before 1.6.78 allows attackers to achieve remote code execution by injecting malicious prompts that...

3 min read

CVE-2026-7301: SGLang ROUTER Socket Exposes Unsafe

A critical CVSS 9.8 vulnerability in SGLang's multimodal AI runtime scheduler binds its ROUTER socket to 0.0.0.0 by default and passes incoming messages...

6 min read
Back to all Security Alerts