A critical security vulnerability has been identified in SGLang, which, if exploited, could lead to remote code execution (RCE) on affected systems. This vulnerability, tracked as CVE-2026-5760, has been assigned a CVSS score of 9.8 out of 10.0, indicating its severity.
Details of the Vulnerability
The vulnerability is categorized as a command injection issue that allows an attacker to execute arbitrary code. Specifically, it affects the reranking endpoint /v1/rerank. An attacker can exploit this flaw by creating a malicious GPT-Generated Unified Format (GGUF) model file that includes a crafted tokenizer.chat_template parameter. This parameter contains a Jinja2 server-side template injection (SSTI) payload designed to trigger the vulnerable code path.
Exploitation Sequence
According to the CERT Coordination Center (CERT/CC), the exploitation process involves several steps:
1. An attacker creates a GGUF model file with a malicious tokenizer.chat_template containing a Jinja2 SSTI payload.
2. The template includes a specific trigger phrase to activate the vulnerable code path in the SGLang service.
3. A victim downloads and loads this model into SGLang.
4. When a request is made to the /v1/rerank endpoint, the malicious template is rendered, executing the attacker’s arbitrary Python code on the server.
Underlying Issues and Recommendations
The vulnerability arises from the use of jinja2.Environment() without proper sandboxing, rather than utilizing ImmutableSandboxedEnvironment. This oversight allows a malicious model to execute arbitrary Python code on the inference server. To mitigate this vulnerability, it is advised to implement ImmutableSandboxedEnvironment for rendering chat templates, which would prevent unauthorized code execution.
Related Vulnerabilities
CVE-2026-5760 is part of a broader category of vulnerabilities, similar to CVE-2024-34359 (known as Llama Drama, CVSS score: 9.7), which has been patched. Another related issue was addressed in CVE-2025-61620 affecting vLLM, which had a CVSS score of 6.5.
As of now, no patch or response has been issued regarding CVE-2026-5760 during the coordination process.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
