Description
A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation of the argument trust_remote_code with the input False as part of Boolean results in code injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. In get_tokenizer(), when the caller passes trust_remote_code=False and HuggingFace transformers v5 returns a TokenizersBackend instance (the generic fallback for tokenizer classes not in the registry), SGLang silently re-invokes AutoTokenizer.from_pretrained with trust_remote_code=True, overriding the caller's explicit security setting. A model repository containing a malicious tokenizer.py referenced via auto_map in tokenizer_config.json will execute arbitrary Python in the SGLang process during this second call. No log line or warning is emitted. The override affects all current SGLang versions because transformers==5.3.0 is pinned in pyproject.toml. Both tokenizer_mode="auto" and tokenizer_mode="slow" are affected. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-02
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the get_tokenizer function of sgl-project SGLang’s HuggingFace Transformer handler allows an attacker who passes trust_remote_code=False to override the caller’s explicit security setting. The library then silently calls AutoTokenizer.from_pretrained again with trust_remote_code=True. If the tokenizer configuration contains a malicious tokenizer.py via auto_map in tokenizer_config.json, arbitrary Python code is executed in the SGLang process. The attack can be launched remotely, requires high complexity, and is considered difficult, but success results in full code execution with no log lines or warnings generated.

Affected Systems

sgl-project SGLang versions up to 0.5.9 are affected by this flaw. No patched versions are listed in the CVE data.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderately high severity, while the EPSS score of <1% suggests exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. The exploit is remote, requires the attacker to call get_tokenizer with a crafted trust_remote_code payload, and benefits from the second unconditional call that overrides user input. Successful exploitation would give the attacker arbitrary code execution in the SGLang process.

Generated by OpenCVE AI on May 4, 2026 at 07:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade sgl-project SGLang to the latest release that includes the code injection fix.
  • Disable or restrict external access to the get_tokenizer API until the vulnerability is patched.
  • Monitor logs for anomalous calls to get_tokenizer and block any suspicious traffic.

Generated by OpenCVE AI on May 4, 2026 at 07:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6m5f-673f-5vh7 SGLang has an Improper Input Validation/Injection Issue
History

Tue, 05 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Sgl-project
Sgl-project sglang
Vendors & Products Sgl-project
Sgl-project sglang

Mon, 04 May 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-502

Mon, 04 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The vendor was contacted early about this disclosure but did not respond in any way. A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation of the argument trust_remote_code with the input False as part of Boolean results in code injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. In get_tokenizer(), when the caller passes trust_remote_code=False and HuggingFace transformers v5 returns a TokenizersBackend instance (the generic fallback for tokenizer classes not in the registry), SGLang silently re-invokes AutoTokenizer.from_pretrained with trust_remote_code=True, overriding the caller's explicit security setting. A model repository containing a malicious tokenizer.py referenced via auto_map in tokenizer_config.json will execute arbitrary Python in the SGLang process during this second call. No log line or warning is emitted. The override affects all current SGLang versions because transformers==5.3.0 is pinned in pyproject.toml. Both tokenizer_mode="auto" and tokenizer_mode="slow" are affected. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title sgl-project SGLang HuggingFace Transformer hf_transformers_utils.py get_tokenizer deserialization sgl-project SGLang HuggingFace Transformer hf_transformers_utils.py get_tokenizer code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

 cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

Sat, 02 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Title sgl-project SGLang HuggingFace Transformer hf_transformers_utils.py get_tokenizer deserialization
Weaknesses CWE-20
CWE-502
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Sgl-project Sglang
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T00:31:40.051Z

Reserved: 2026-05-02T08:00:13.701Z

Link: CVE-2026-7669

cve-icon Vulnrichment

Updated: 2026-05-05T00:31:35.648Z

cve-icon NVD

Status : Deferred

Published: 2026-05-02T22:16:24.080

Modified: 2026-05-05T19:15:06.200

Link: CVE-2026-7669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:06:45Z

Weaknesses