CVE-2026-14890 PUBLISHED

CVE-2026-14890

Assigner: certcc
Reserved: 06.07.2026 Published: 16.07.2026 Updated: 16.07.2026

SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.

Product Status

Vendor SGLang
Product SGLang
Versions
  • affected from 0 to 0.5.14 (incl.)

References

Problem Types

  • CWE-502 (Deserialization of Untrusted Data)