Description
SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.
Published:
2026-07-16
Score:
n/a
EPSS:
n/a
KEV:
No
Impact:
n/a
Action:
n/a
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Thu, 16 Jul 2026 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Sglang
Sglang sglang |
|
| Vendors & Products |
Sglang
Sglang sglang |
Thu, 16 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network. | |
| Title | CVE-2026-14890 | |
| References |
|
Status: PUBLISHED
Assigner: certcc
Published:
Updated: 2026-07-16T18:23:35.561Z
Reserved: 2026-07-06T17:51:01.634Z
Link: CVE-2026-14890
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T17:00:02Z
Weaknesses
No weakness.