PyPI: sglang

CVE-2026-3059

Safety vulnerability ID: SFTY-20260312-16031

Safety legacy ID: pyup.io-89031

Affected versions of the sglang package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of unauthenticated ZMQ broker messages with pickle.loads(). In python/sglang/multimodal_gen/runtime/scheduler_client.py, the multimodal generation broker receives attacker-controlled data with payload = await socket.recv() and immediately deserializes it with request_batch = pickle.loads(payload) without authentication or validation, which allows arbitrary Python objects to be reconstructed from untrusted input.

PythonPyPINVDNVDGitHubGHSA
Created at: Mar 27, 2026Updated at: Mar 27, 2026

Overview

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker

Advisory

Affected versions of the sglang package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of unauthenticated ZMQ broker messages with pickle.loads(). In python/sglang/multimodal_gen/runtime/scheduler_client.py, the multimodal generation broker receives attacker-controlled data with payload = await socket.recv() and immediately deserializes it with request_batch = pickle.loads(payload) without authentication or validation, which allows arbitrary Python objects to be reconstructed from untrusted input.

Affected Package

Affecting sglang package, versions
<=0.5.9

Also affects

---

How to Fix

Upgrade
sglang
to
0.5.10rc0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more