PyPI: sglang
CVE-2026-3060
Safety vulnerability ID: SFTY-20260312-28803
Safety legacy ID: pyup.io-89030
Affected versions of the sglang package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of attacker-controlled data with Python pickle. In python/sglang/srt/disaggregation/encode_receiver.py, the _try_recv_mm_data and _recv_mm_data methods call pickle.loads(parts[0]) on data received through the disaggregation module’s messaging flow without authentication or validation, allowing untrusted objects to be reconstructed from network input.
Overview
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module
Advisory
Affected versions of the sglang package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of attacker-controlled data with Python pickle. In python/sglang/srt/disaggregation/encode_receiver.py, the _try_recv_mm_data and _recv_mm_data methods call pickle.loads(parts[0]) on data received through the disaggregation module’s messaging flow without authentication or validation, allowing untrusted objects to be reconstructed from network input.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260312-28803/CVE-2026-3060
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3060
- https://github.com/advisories/GHSA-jx93-g359-86wm
- https://nvd.nist.gov/vuln/detail/CVE-2026-3060
- https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/disaggregation/encode_receiver.py
- https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities
- https://github.com/advisories/GHSA-jx93-g359-86wm
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more