Critical github · GHSA-gwv6-pq6m-p3rq

SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket

Published May 18, 2026 CVSS 9.8

SGLang's multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

Remote Code Execution

Affected AI Products

sglang

View original source

Get the weekly digest. Every Monday: top AI security stories of the week. Free.