CVE-2026-3059

CriticalPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0184 83.1th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted inputs to the ZMQ broker prior to deserialization, directly preventing execution of malicious payloads via pickle.loads().

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific deserialization flaw, enabling application of the vendor patch from SGLang release v0.5.10.

SC-7 Boundary Protection good match

prevent

Implements boundary protection to monitor and control network communications to the exposed ZMQ broker, blocking unauthenticated remote access by attackers.

Security SummaryAI

CVE-2026-3059 is a critical vulnerability in SGLang's multimodal generation module, where the ZMQ broker deserializes untrusted data using pickle.loads() without authentication, enabling unauthenticated remote code execution. Published on 2026-03-12, it is associated with CWE-502 (Deserialization of Untrusted Data) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network-accessible nature and comprehensive impact on system confidentiality, integrity, and availability.

Any unauthenticated attacker with network access to the affected SGLang deployment can exploit this flaw by transmitting malicious serialized data to the ZMQ broker. Successful exploitation results in arbitrary remote code execution on the server, with no requirement for user privileges or interaction, potentially allowing full compromise of the hosting environment.

Mitigation details are outlined in the SGLang GitHub security advisory (GHSA-3cp7-c6q2-94xr), which references a fix in pull request #20904 and release v0.5.10. The vulnerable code is visible in scheduler_client.py, and further analysis appears in the Orca Security blog post on SGLang LLM framework RCE vulnerabilities.

Details

CWE(s): CWE-502

Affected Products

lmsys

sglang

0.5.5 — 0.5.9

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote code execution via deserialization in a network-accessible ZMQ broker in SGLang directly enables exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/sgl-project/sglang/blob/main/python/sglang/multimodal_gen/runtime/scheduler_client.py
Product · cret@cert.org
https://github.com/sgl-project/sglang/pull/20904
cret@cert.org
https://github.com/sgl-project/sglang/releases/tag/v0.5.10
cret@cert.org
https://github.com/sgl-project/sglang/security/advisories/GHSA-3cp7-c6q2-94xr
Broken Link · cret@cert.org
https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/
Exploit, Mitigation, Third Party Advisory · cret@cert.org