Description
SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().
Published: 2026-04-20
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Mitigation
AI Analysis

Impact

SGLang's /v1/rerank API loads a model file that may contain a malicious tokenizer.chat_template. During rendering, the library invokes Jinja2 without sandboxing, allowing the template code to execute as part of the service. This flaw permits an attacker who can supply a crafted model file to execute arbitrary code on the host running SGLang, leading to full system compromise. The weakness originates from unsanitized template execution and is related to CWE-94.

Affected Systems

The vulnerability affects the SGLang application, specifically the reranking endpoint /v1/rerank. No specific version numbers are provided, but the issue exists in the current release used at the time of the report. The product is identified as SGLang:SGLang by the CNA. Administrators should check any instance of SGLang exposing the rerank API for potential exploitation.

Risk and Exploitability

The CVSS score is 9.8, and the EPSS score is unavailable, but the presence of RCE implies a high severity risk. The attack requires delivery of a malicious tokenizer.chat_template via a model file that the SGLang service processes. While the exact privilege level needed to upload the model is not detailed, it is inferred that an adversary with sufficient write access to the model storage can trigger the flaw. The vulnerability is not listed in the CISA KEV catalog, but its exploitability, combined with the lack of sandboxing, suggests that it could be leveraged by attackers with network access to the affected service.

Generated by OpenCVE AI on April 20, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or restrict the /v1/rerank endpoint to trusted users only.
  • Validate or strip the tokenizer.chat_template field from uploaded model files before loading them into the service.
  • Upgrade SGLang to a newer release that applies a sandboxed Jinja2 environment or otherwise sanitizes templates. If a patch is not yet available, consider protecting the application behind a reverse proxy that blocks untrusted model uploads.
  • Monitor system logs for suspicious Jinja template rendering attempts and failing authentication attempts to the rerank endpoint.

Generated by OpenCVE AI on April 20, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Mon, 20 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Sglang
Sglang sglang
Vendors & Products Sglang
Sglang sglang

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().
Title CVE-2026-5760
References

Subscriptions

Sglang Sglang
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-20T15:29:54.098Z

Reserved: 2026-04-07T18:02:12.417Z

Link: CVE-2026-5760

cve-icon Vulnrichment

Updated: 2026-04-20T15:29:54.098Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T14:16:21.680

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-5760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses