CVE-2026-14890

Source
https://cve.org/CVERecord?id=CVE-2026-14890
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14890.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-14890
Published
2026-07-16T14:43:44.087Z
Modified
2026-07-18T03:46:34.065886166Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
CVE-2026-14890
Details

SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14890.json",
    "cna_assigner": "certcc"
}
References

Affected packages

Git / github.com/sgl-project/sglang

Affected ranges

Type
GIT
Repo
https://github.com/sgl-project/sglang
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.5.14"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

gateway-v0.*
gateway-v0.1.5
gateway-v0.1.6
gateway-v0.1.7
gateway-v0.1.8
gateway-v0.1.9
gateway-v0.2.0
gateway-v0.2.1
gateway-v0.2.2
gateway-v0.2.3
gateway-v0.2.4
gateway-v0.3.0
gateway-v0.3.1
v0.*
v0.1.10
v0.1.11
v0.1.12
v0.1.13
v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.19
v0.1.20
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.3
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.2.0
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.14.post1
v0.2.14.post2
v0.2.15
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.2.9.post1
v0.3.0
v0.3.1.post1
v0.3.1.post2
v0.3.1.post3
v0.3.2
v0.3.3
v0.3.3.post1
v0.3.4
v0.3.4.post1
v0.3.4.post2
v0.3.5
v0.3.5.post1
v0.3.5.post2
v0.3.6
v0.3.6.post1
v0.3.6.post2
v0.3.6.post3
v0.4.0
v0.4.0.post1
v0.4.0.post2
v0.4.1
v0.4.1.post1
v0.4.1.post2
v0.4.1.post3
v0.4.1.post4
v0.4.1.post5
v0.4.1.post6
v0.4.1.post7
v0.4.10
v0.4.10.post1
v0.4.10.post2
v0.4.2
v0.4.2.post1
v0.4.2.post2
v0.4.2.post3
v0.4.2.post4
v0.4.3
v0.4.3.post1
v0.4.3.post2
v0.4.3.post3
v0.4.3.post4
v0.4.4
v0.4.4.post1
v0.4.4.post2
v0.4.4.post3
v0.4.4.post4
v0.4.5
v0.4.5.post1
v0.4.5.post2
v0.4.5.post3
v0.4.6
v0.4.6.post1
v0.4.6.post2
v0.4.6.post3
v0.4.6.post4
v0.4.6.post5
v0.4.7
v0.4.7.post1
v0.4.8
v0.4.8.post1
v0.4.9
v0.4.9.post1
v0.4.9.post2
v0.4.9.post3
v0.4.9.post4
v0.4.9.post5
v0.4.9.post6
v0.5.0rc0
v0.5.0rc1
v0.5.0rc2
v0.5.1
v0.5.1.post1
v0.5.1.post2
v0.5.1.post3
v0.5.14
v0.5.2
v0.5.2rc0
v0.5.2rc1
v0.5.2rc2
v0.5.3
v0.5.3.post1
v0.5.3.post2
v0.5.3.post3
v0.5.3rc0
v0.5.3rc1
v0.5.3rc2
v0.5.4
v0.5.4.post1
v0.5.4.post2
v0.5.4.post3
v0.5.5
v0.5.5.post1
v0.5.5.post2
v0.5.5.post3
v0.5.6
v0.5.6.post1
v0.5.6.post2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14890.json"