CRITICAL🇵🇱 Wersja polska

CVE-2026-5760

CVSS 9.8v3.1pub. 2026-04-20upd. 2026-06-03

SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().

🤖 AI Analysis
How it works

The /v1/rerank endpoint in SGLang renders Jinja2 templates defined in the tokenizer.chat_template field of the model file. Rendering is performed using an unsecured jinja2.Environment() object that does not apply sandboxing. An attacker can provide a model file containing a malicious Jinja2 template, whose execution leads to arbitrary code execution on the server side. The lack of authentication and complexity restrictions (AC:L, PR:N, UI:N) makes exploitation exceptionally simple.

Impact

An attacker can gain full control of the server — read, modify, or delete data (C:H, I:H, A:H on the CVSS scale), as well as execute arbitrary system commands in the context of the SGLang process.

Mitigation & patch

Patches available in the project repository should be applied (pull request sgl-project/sglang#23660). Until the fix is implemented, it is recommended to restrict network access to the /v1/rerank endpoint only to trusted hosts and avoid loading model files from untrusted sources.

Who is affected

SGLang version 0.5.9 and potentially other versions with an unsecured Jinja2 engine — the exact version range is indicated in the producer's references (pull request #23660 in the sgl-project/sglang repository).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lmsys Sglang

    APP
    Lmsys
    < 0.5.11
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-7301CRITICAL9.8PL ✓ten sam produkt

RCE w SGLang przez niebezpieczną deserializację pickle na gnieździe ROUTER

CVE-2026-7302CRITICAL9.1PL ✓ten sam produkt

SGLang: path traversal umożliwiający zapis dowolnych plików bez uwierzytelnienia

CVE-2026-7304CRITICAL9.8PL ✓ten sam produkt

RCE przez niebezpieczną deserializację w SGLang (dill.loads)

CVE-2026-3059CRITICAL9.8PL ✓ten sam produkt

RCE w SGLang przez deserializację pickle bez uwierzytelnienia (ZMQ broker)

CVE-2026-3060CRITICAL9.8PL ✓ten sam produkt

SGLang: nieuwierzytelnione RCE przez deserializację pickle w module disaggregation