CVE-2026-14890

CVE-2026-14890CVE-2026-14890

Description

SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.

Scoring

CVSS 9.1 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Last modified2026-07-16
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.