Overview
CVE-2026-14890 is a critical remote code execution vulnerability (CVSS 9.1) affecting SGLang, an open-source AI inference and serving framework. The flaw resides in SGLang's expert-parallel execution subsystem, which exposes a ZeroMQ PULL socket on a routable network interface with no authentication or deserialization safeguards in place.
An unauthenticated attacker reachable over the network can deliver a malicious pickle-serialized object to this socket. Because Python's pickle module is inherently unsafe when deserializing untrusted data, the payload is executed with the privileges of the SGLang process — resulting in full remote code execution on the host.
Technical Details
Vulnerable Component
SGLang's expert-parallel backup subsystem uses ZeroMQ (ZMQ) as an inter-process communication layer. When expert parallelism is enabled, a PULL socket is opened and bound to a routable (non-loopback) network interface. This socket:
- Accepts connections from any reachable host — no IP allowlist or firewall rule is enforced by the application
- Performs no authentication — no token, certificate, or handshake is required
- Deserializes received data using Python's
picklemodule — a well-known unsafe deserialization vector
Supplying a crafted pickle payload causes arbitrary Python code to execute during deserialization, before any application logic runs. This is a classic insecure deserialization pattern (OWASP A08:2021).
Attack Vector
| Attribute | Value |
|---|---|
| CVSS Score | 9.1 (Critical) |
| Attack Vector | Network |
| Authentication Required | None |
| Privileges Required | None |
| User Interaction | None |
| Impact | Full RCE on host |
Exploitation Scenario
- Attacker identifies a host running SGLang in expert-parallel mode (e.g., via port scan for the ZeroMQ PULL port)
- Crafts a malicious pickle payload containing arbitrary Python commands
- Sends the payload directly to the exposed PULL socket over the network
- The SGLang process deserializes the object — executing the attacker's code
No credentials, tokens, or prior access are required.
Affected Software
- SGLang using the expert-parallel backup subsystem with ZeroMQ
- Configurations where the PULL socket is bound to a routable (non-loopback) interface
- The NVD advisory does not specify a patched version at time of publication — check the SGLang GitHub releases for the latest fix
Mitigation
Until a patch is applied or confirmed safe configuration is established:
- Firewall the ZeroMQ PULL port — block the port at the network perimeter so only trusted hosts can reach it
- Bind to loopback only — if possible, configure the socket to bind to
127.0.0.1rather than0.0.0.0or a routable interface - Do not expose SGLang inference endpoints to untrusted networks — treat the inference service as an internal component behind an authenticated API gateway
- Monitor for unexpected outbound connections from the SGLang process as an indicator of compromise
Why This Matters
SGLang is widely used in research and production environments to serve large language models at scale. Expert parallelism is a common deployment mode for MoE (Mixture of Experts) architectures such as Mixtral and DeepSeek. Deployments on cloud VMs or Kubernetes clusters with misconfigured network policies are at highest risk, as the ZeroMQ PULL port may be inadvertently exposed to the internet or to other tenants in a shared environment.
Pickle deserialization vulnerabilities are one of the most severe categories of security flaws in Python applications. Once exploited, attackers gain the ability to install backdoors, exfiltrate model weights and training data, pivot to internal networks, or disrupt inference services entirely.
Recommendations
- Immediately audit all SGLang deployments using expert-parallel mode for network exposure of the ZeroMQ port
- Apply network-level controls as a compensating control until a patch is available
- Follow SGLang's GitHub and the NVD advisory for patch availability and apply it promptly upon release
- Review AI/ML serving infrastructure for similar patterns — other frameworks using ZeroMQ or similar IPC mechanisms without authentication deserve scrutiny