CVE-2026-7301: SGLang Unauthenticated RCE via Unsafe Deserialization
A critical remote code execution vulnerability has been disclosed in SGLang, the open-source multimodal AI inference and serving runtime widely used to deploy large language models and vision-language models at scale. Tracked as CVE-2026-7301 (CVSS 9.8, Critical), the vulnerability stems from the scheduler's ROUTER socket binding to 0.0.0.0 by default and routing incoming messages to an unsafe deserialization sink — creating a zero-authentication RCE surface for any attacker with network access to the exposed port.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-7301 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-502 — Deserialization of Untrusted Data |
| Affected Software | SGLang multimodal generation runtime (scheduler) |
| Attack Vector | Network |
| Authentication Required | None |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Patch Available | Check NVD for vendor advisory |
| Published | 2026-05-18 |
Technical Analysis
Root Cause
SGLang's multimodal generation runtime includes a scheduler component that manages task distribution across workers. The scheduler exposes a ROUTER socket that, by default, binds to 0.0.0.0 — making it reachable from any network interface, including the public internet if the server is internet-exposed.
The critical flaw is in how the ROUTER socket processes incoming messages: it routes data directly to a deserialization sink that processes attacker-controlled byte payloads without authentication or input validation. Because Python's native serialization format can encode arbitrary callables, an attacker who can reach the ROUTER socket can craft a payload that executes arbitrary code within the SGLang server process.
Exploit Chain
1. Attacker identifies an internet-exposed SGLang server
(default scheduler ROUTER socket is bound to 0.0.0.0)
2. Attacker crafts a malicious serialized payload
encoding an arbitrary OS command or callable
3. Attacker sends the payload to the ROUTER socket
— no authentication is required or checked
4. The scheduler's deserialization sink processes the payload
5. Arbitrary code executes with the privilege of the SGLang
server process (often GPU-enabled, root, or service account)
6. Full server compromise achievedWhy This Is Severe
The combination of factors that makes CVE-2026-7301 particularly dangerous:
- Network-accessible by default — no firewall or network segmentation configuration is required to be vulnerable; the default installation is exposed
- Zero authentication — no credentials, tokens, or API keys are needed to reach the vulnerable sink
- Deserialization = arbitrary code — insecure deserialization vulnerabilities are notoriously reliable exploit primitives, often allowing straightforward RCE with minimal trial-and-error
- AI inference servers are high-value targets — SGLang servers typically run on high-performance GPU hardware and may process proprietary models, sensitive data, or production workloads
Affected Deployments
Any SGLang deployment where the scheduler's ROUTER socket is reachable from an untrusted network is vulnerable. High-risk configurations include:
- Cloud VM or bare-metal GPU servers running SGLang with default configuration and a public IP
- Container deployments where the ROUTER socket port is exposed via Docker
-pmappings or KubernetesNodePort/LoadBalancerservices - Research clusters with open internal networks where SGLang is assumed to be internal-only but the port is reachable
- AI API providers hosting SGLang as a backend for model serving
Impact Assessment
| Impact Area | Description |
|---|---|
| Confidentiality | Full access to all data the process can read — model weights, API keys, inference inputs, cached outputs |
| Integrity | Arbitrary code execution allows model tampering, log deletion, and configuration modification |
| Availability | Process termination, GPU resource exhaustion, or persistent backdoor installation |
| Privilege | If running as root or a high-privilege service account, the entire host may be compromised |
| Lateral Movement | GPU servers often have access to storage networks, internal APIs, and other sensitive infrastructure |
Remediation
Immediate Mitigations
Until a vendor patch is confirmed and applied:
1. Restrict ROUTER socket binding (highest priority)
Configure SGLang to bind the scheduler ROUTER socket to 127.0.0.1 (loopback only) rather than 0.0.0.0. Check the SGLang documentation and configuration options for --scheduler-host or equivalent settings.
2. Firewall the ROUTER socket port
If the port cannot be changed immediately, apply firewall rules to block external access to the scheduler port:
# Example: block external access to SGLang scheduler port (adjust port as needed)
iptables -A INPUT -p tcp --dport <scheduler_port> ! -s 127.0.0.1 -j DROP
# Or restrict to trusted IP ranges only
iptables -A INPUT -p tcp --dport <scheduler_port> -s <trusted_range> -j ACCEPT
iptables -A INPUT -p tcp --dport <scheduler_port> -j DROP3. Deploy behind an authenticated reverse proxy
Place the SGLang service behind a reverse proxy (nginx, Traefik, Caddy) that enforces authentication before proxying requests to the scheduler.
4. Network segmentation
Move SGLang servers to an isolated network segment with no direct internet access. Use a bastion host or VPN for administrative access.
Patch
Check the NVD entry for CVE-2026-7301 and the SGLang GitHub repository for vendor-issued patches and version advisories. Apply any available patch immediately after testing.
Detection
Monitor for unexpected processes spawned by the SGLang scheduler, unusual outbound network connections from the server, or unexpected files created in the server's working directory:
# Monitor for unexpected child processes of SGLang
ps auxf | grep sglang
# Check for unexpected outbound connections
ss -tnp | grep <sglang_pid>
# Review system logs for anomalous activity
journalctl --since "1 hour ago" | grep -i "sglang\|scheduler"Indicators of compromise include unexpected shell processes, outbound connections to unknown hosts, or modifications to SGLang configuration or model files.
Key Takeaways
- CVE-2026-7301 allows unauthenticated RCE on any internet-accessible SGLang server due to the scheduler's ROUTER socket binding to
0.0.0.0by default and processing payloads through an unsafe deserialization sink - CVSS 9.8 (Critical) — network-accessible, no authentication, no user interaction required
- AI/ML inference servers are increasingly high-value targets; the assumption that they are internal-only is dangerous without explicit firewall configuration
- Immediate action: restrict the ROUTER socket binding to loopback or firewall the scheduler port before a vendor patch is available
- Deserialization vulnerabilities are among the most reliable exploit primitives — treat this with the same urgency as a known-exploited vulnerability