SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 16 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network. | |
| Title | CVE-2026-14890 | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: certcc
Published:
Updated: 2026-07-16T16:29:23.722Z
Reserved: 2026-07-06T17:51:01.634Z
Link: CVE-2026-14890
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.