External risk intelligence

SGLang systems exposed online allow attackers to take full control or disrupt services.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-7301

SGLang systems with exposed network interfaces allow attackers to run any code, potentially taking over your servers. Address this critical vulnerability immediately to prevent unauthorized access.

4Halo Surface Signal

Deserialization

Lmsys Sglang

0.5.10

External exposure likelihood

Halo Surface Signal score for CVE-2026-7301

The SGLang runtime scheduler defaults to binding the ROUTER socket to 0.0.0.0, allowing connections from anywhere. It is commonly deployed as an internet-exposed service for managing AI model workflows, enabling direct network access to the component. The service is designed to accept inbound network instructions, making it a reachable API endpoint for external interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the SGLangs multimodal generation runtime scheduler allows for remote code execution. This occurs because the scheduler's ROUTER socket binds to all network interfaces by default and processes incoming messages in a way that can be exploited. This is a critical issue that should be addressed promptly.

  • Internet-accessible component.
  • Full system compromise possible.
  • Easy to exploit.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by sending malicious messages to an exposed SGLang runtime scheduler. The scheduler will process these messages using `pickle.loads()`, allowing the attacker to execute arbitrary code on the affected server. This is particularly dangerous if the SGLang service is accessible from the internet without proper authentication.

  • Target is exposed SGLang scheduler.
  • Network access needed.
  • Malicious pickle payload.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk as it allows unauthenticated remote code execution through a network-accessible service that binds to all interfaces by default. Attackers are likely to target this due to the ease of exploitation and potential for broad impact on internet-facing deployments. The absence of authentication and the default binding behavior make it an attractive target for automated scanning and exploitation.

  • Public exploit available.
  • Likely to be weaponized quickly.
  • High impact and accessibility.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating services that expose the SGLang ROUTER socket to the internet, as a remote code execution vulnerability allows unauthenticated attackers to gain full control. If immediate isolation is not feasible, implement strict network segmentation and monitor for unusual outbound network activity.

  • Block internet access to the ROUTER socket.
  • Implement network segmentation for the service.
  • Monitor for anomalous outbound network connections.

Frequently asked questions

What is the SGLang multimodal generation runtime scheduler?

The SGLang multimodal generation runtime scheduler is a component used for managing AI model workflows. It allows for the scheduling and execution of generative tasks. The product is developed by lmsys and is identified with the product name 'sglang'.

What type of vulnerability does CVE-2026-7301 represent?

CVE-2026-7301 is a remote code execution (RCE) vulnerability. This means an attacker can run their own code on the affected system without physical access, essentially taking control of it.

How can an attacker exploit this SGLang vulnerability?

An attacker can exploit this by sending specially crafted messages to the SGLang runtime scheduler. The scheduler processes these messages using a function that is susceptible to malicious input, allowing the attacker to execute arbitrary code. It does not trigger if the service is not exposed to a network.

Who should be concerned about CVE-2026-7301?

Organizations running SGLang where the ROUTER socket is accessible from the internet should be concerned. Halo classifies this as an external exposure, meaning it's reachable from the internet, increasing the risk of attack.

What is the first step to address this threat?

The immediate first step is to isolate services that expose the SGLang ROUTER socket to the internet. If full isolation isn't possible, implement strict network segmentation to limit access and monitor for unusual network activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified