SGLang Exposes Unsafe Pickle Deserialization Leading RCE
Researchers disclosed on March 12, 2026 that SGLang, an open-source LLM and multimodal serving framework, contains unsafe pickle deserialization vulnerabilities tracked as CVE-2026-3059, CVE-2026-3060 and CVE-2026-3989. The flaws let attackers submit malicious .pkl files to ZeroMQ-based multimodal generation and encoder disaggregation modules, or to the replay_request_dump.py script, enabling unauthenticated remote code execution. Maintainers are advised to restrict access and replace pickle with safer serializers.
Key Points
- 1Identify unauthenticated pickle deserialization in SGLang's multimodal and disaggregation modules enabling remote code execution
- 2Highlight risks because pickle.loads() deserializes executable instructions, exposing hosts via ZeroMQ or replay scripts
- 3Advise restricting network access, avoid pickle, and adopt safe serializers like JSON or msgpack immediately
Scoring Rationale
Practical significance for LLM-serving security with actionable fixes, but limited scope to SGLang deployments and interfaces.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
