CVE-2026-14890

Summary

SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.

Affected Software

VendorProductVersion RangeStatus
SGLangSGLang0 <= 0.5.14affected

Weaknesses

  • CWE-502 (Deserialization of Untrusted Data)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References