Description
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
Published: 2026-05-18
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SGLang’s multimodal generation runtime contains a flaw that permits the execution of arbitrary code when the optional flag --enable-custom-logit-processor is activated. Under this configuration the runtime passes untrusted data to dill.loads(), which deserializes Python objects without performing any validation. An attacker who can supply a maliciously crafted pickle payload can cause the runtime to import and execute arbitrary code, effectively compromising the host system. The weakness is a classic example of unsafe deserialization that can fully compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

Any deployment of the SGLang multimodal generation runtime that employs the --enable-custom-logit-processor option is vulnerable. No specific version constraints are listed, so every release before a future fix that validates dill deserialization is at risk. The vulnerability impacts users who run the runtime locally or on a network‑accessible machine where the option can be enabled.

Risk and Exploitability

The CVSS score is 9.8, indicating a high risk due to the ability to execute untrusted code without authentication. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or remote to the runtime process: an attacker who can invoke SGLang with the vulnerable flag can drop a malicious pickle payload, which the runtime will deserialize and execute. The exploitation requires the ability to configure or control the command line arguments for the runtime, implying the need for administrative or elevated privileges on the host.

Generated by OpenCVE AI on May 18, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the --enable-custom-logit-processor flag when launching the SGLang runtime until a validated patch becomes available
  • Upgrade to the latest SGLang release that incorporates input validation for dill deserialization, once it is released
  • If a patch is not immediately available, restrict execution of the SGLang process to a sandboxed or least‑privilege environment where arbitrary code execution will not affect critical resources

Generated by OpenCVE AI on May 18, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 18 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Sglang
Sglang sglang
Weaknesses CWE-502
Vendors & Products Sglang
Sglang sglang

Mon, 18 May 2026 12:00:00 +0000

Type Values Removed Values Added
Description SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
Title CVE-2026-7304
References

Subscriptions

Sglang Sglang
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-05-18T14:04:23.864Z

Reserved: 2026-04-28T11:45:05.762Z

Link: CVE-2026-7304

cve-icon Vulnrichment

Updated: 2026-05-18T14:03:59.597Z

cve-icon NVD

Status : Received

Published: 2026-05-18T12:16:16.713

Modified: 2026-05-18T15:16:27.227

Link: CVE-2026-7304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T15:30:28Z

Weaknesses