CVE-2026-7302: SGLang Unauthenticated Path Traversal
A critical path traversal vulnerability has been disclosed in SGLang, the widely-used open-source AI inference runtime for serving large language models and multimodal models. Tracked as CVE-2026-7302 (CVSS 9.1, Critical), the flaw allows an unauthenticated attacker to write arbitrary files to any location the server process can access by embedding ../ sequences in the upload filename when sending requests to specific upload endpoints.
The vulnerability is closely related to CVE-2026-7301 (CVSS 9.8), a companion flaw in the same SGLang runtime involving unsafe deserialization on the ROUTER socket. Both vulnerabilities were published on the same day and organizations running SGLang should treat them as a compound critical risk.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-7302 |
| CVSS Score | 9.1 (Critical) |
| CWE Classification | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
| Affected Software | SGLang multimodal generation runtime (file upload endpoints) |
| Attack Vector | Network |
| Authentication Required | None |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Published | 2026-05-18 |
Technical Analysis
Root Cause
SGLang exposes file upload endpoints as part of its multimodal generation runtime — these are designed to accept images, audio, or other media files for use in multimodal inference requests. The vulnerability exists because the server does not sanitize or validate the filename parameter provided in upload requests before using it to construct the destination file path.
An attacker can supply a filename containing ../ sequences (e.g., ../../../../etc/cron.d/evil or ../../.ssh/authorized_keys) which, when concatenated with the server's base upload directory, resolves to an arbitrary path outside the intended upload location.
Exploit Chain
1. Attacker identifies an internet-exposed SGLang server
with an accessible file upload endpoint
2. Attacker crafts an HTTP upload request with a
malicious filename: ../../../../target/path/filename
3. SGLang concatenates the base upload path with the
filename without sanitization
4. The file is written to the attacker-specified path,
anywhere the server process has write access
5. Depending on write target:
a. Write to /etc/cron.d/ → scheduled command execution
b. Write to ~/.ssh/authorized_keys → SSH backdoor
c. Write web shell to a web-accessible directory → RCE
d. Overwrite SGLang config → persistent configuration manipulation
e. Write to /etc/passwd or sudoers → privilege escalationChaining with CVE-2026-7301
When combined with CVE-2026-7301 (the deserialization RCE on the ROUTER socket), CVE-2026-7302 provides a secondary and independent RCE path. In environments where the ROUTER socket is not directly reachable but the upload endpoint is accessible, this vulnerability can still achieve code execution through file write primitives (cron jobs, SSH keys, web shells).
Affected Deployments
Any SGLang deployment where file upload endpoints are reachable from an untrusted network is vulnerable, including:
- Public-facing multimodal API servers using SGLang as the backend for image/audio/video processing
- Research inference services where SGLang is exposed without authentication on internal networks
- Cloud deployments where the SGLang service port is exposed via security group rules or load balancer configurations
- Container environments where the SGLang container's port is mapped to the host with public accessibility
Impact Assessment
| Impact Area | Description |
|---|---|
| Integrity | Attacker can write to any location accessible to the server process — config files, credentials, scripts |
| Confidentiality | File overwrite of sensitive configs may expose secrets; follow-on RCE provides full data access |
| Availability | Overwriting critical system files can crash the server or the host OS |
| Code Execution | Writing to cron directories, SSH authorized_keys, or web-accessible paths leads to OS-level code execution |
| Persistence | Attackers can establish persistent backdoors that survive service restarts |
Remediation
Immediate Mitigations
1. Firewall upload endpoints from untrusted networks
Restrict access to SGLang's API port to trusted IPs only:
# Block public access to SGLang API port (adjust port number)
iptables -A INPUT -p tcp --dport <api_port> ! -s <trusted_cidr> -j DROP2. Run SGLang as a low-privilege user
Ensure the SGLang server process runs as a non-root user with minimal write permissions:
# Create a dedicated service user with no shell and limited home
useradd -r -s /bin/false -d /opt/sglang sglang
# Run SGLang as this user
sudo -u sglang python -m sglang.launch_server ...A low-privilege user limits the blast radius of the path traversal — the attacker can only write to locations the service account can access.
3. Apply a filesystem sandbox
Use systemd service hardening or a container with strict volume mounts to restrict writable paths:
# /etc/systemd/system/sglang.service
[Service]
ReadOnlyPaths=/
ReadWritePaths=/opt/sglang/uploads /opt/sglang/cache
PrivateTmp=true
NoNewPrivileges=true4. Deploy behind an authenticated reverse proxy
Require API key or token authentication at the reverse proxy layer before requests reach SGLang upload endpoints.
Patch
Monitor the NVD entry for CVE-2026-7302 and the SGLang GitHub repository for vendor-issued patches. Apply available patches immediately after validation testing.
Detection
Look for file creation events in unexpected system directories originating from the SGLang process, or anomalous upload requests with .. in the filename field:
# Monitor file creation events (requires auditd)
auditctl -w /etc -p w -k sglang_etc_write
auditctl -w /root -p w -k sglang_root_write
auditctl -w /home -p w -k sglang_home_write
# Review audit logs for unexpected writes by SGLang user
ausearch -k sglang_etc_write -ts recent
# Check access logs for upload requests with traversal patterns
grep -E '\.\.\/' /var/log/nginx/access.logEvidence of exploitation includes unexpected files in system directories, modifications to cron jobs, SSH authorized_keys changes, or new user accounts.
Key Takeaways
- CVE-2026-7302 enables unauthenticated arbitrary file write via
../traversal in SGLang upload endpoint filenames — no credentials required - CVSS 9.1 (Critical) — network-accessible, zero authentication, high impact on integrity and confidentiality
- Companion to CVE-2026-7301 — both flaws were published the same day; treat SGLang deployments as critically compromised if internet-exposed
- Arbitrary file write is effectively RCE in most Linux environments via cron, SSH keys, or web shell placement
- Immediate action: restrict API access to trusted IPs, run SGLang as a low-privilege user, and apply vendor patches as soon as they are available
- AI runtime security is an increasingly critical discipline — default-open network bindings and unvalidated file operations in AI serving frameworks represent an expanding attack surface