Full Report
A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code. SGLang is a high-performance, open-source serving
Analysis Summary
# Vulnerability: Critical RCE in SGLang via Malicious GGUF Models
## CVE Details
- **CVE ID:** CVE-2026-5760
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-94 (Improper Control of Generation of Code / Command Injection)
## Affected Systems
- **Products:** SGLang (High-performance LLM serving framework)
- **Versions:** Impacted through version 0.5.9 (Discovery version)
- **Configurations:** Systems utilizing the `/v1/rerank` endpoint and loading third-party GGUF format models.
## Vulnerability Description
The vulnerability is a Server-Side Template Injection (SSTI) flaw residing in the reranking endpoint. SGLang uses the Jinja2 templating engine to process model chat templates. Specifically, the framework utilizes `jinja2.Environment()` without a sandbox for human-readable template rendering in `entrypoints/openai/serving_rerank.py`.
An attacker can craft a GGUF model file where the `tokenizer.chat_template` parameter contains a malicious Jinja2 payload. When SGLang loads this model and receives a trigger request at the `/v1/rerank` endpoint (specifically involving Qwen3 reranker trigger phrases), the unsandboxed environment executes the attacker’s arbitrary Python code.
## Exploitation
- **Status:** PoC developed by security researcher Stuart Beck; details disclosed publicly.
- **Complexity:** Low (Requires victim to load a malicious model).
- **Attack Vector:** Network (Remote via distribution of crafted model files on platforms like Hugging Face).
## Impact
- **Confidentiality:** High (Full access to system data and environment variables).
- **Integrity:** High (Ability to modify files or system configurations).
- **Availability:** High (Potential for complete system takeover or service disruption).
## Remediation
### Patches
- **Status:** As of the reporting date, no official patch was obtained during the coordination process. Users are advised to monitor the official SGLang GitHub repository for version updates exceeding 0.5.9.
### Workarounds
- **Code Modification:** Replace `jinja2.Environment()` with `jinja2.ImmutableSandboxedEnvironment()` in the SGLang source code to restrict the capabilities of the template engine.
- **Source Validation:** Only load GGUF models from trusted, verified authors and repositories.
- **Network Isolation:** Restrict access to the `/v1/rerank` endpoint to authorized internal traffic only.
## Detection
- **Indicators of Compromise:** Unusual outbound network connections from the SGLang server; unexpected Python child processes triggered by the serving framework.
- **Detection Methods:** Inspect GGUF model metadata for suspicious Jinja2 syntax (e.g., `{{ ... }}` containing calls to `__import__`, `os.system`, or `subprocess`) within the `chat_template` field.
## References
- **CERT/CC Advisory:** hxxps[://]kb[.]cert[.]org/vuls/id/915947
- **Vulnerability Research Repository:** hxxps[://]github[.]com/Stuub/SGLang-0.5.9-RCE
- **SGLang Project:** hxxps[://]github[.]com/sgl-project/sglang
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-5760