{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3060", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-02-23T18:17:34.976Z", "datePublished": "2026-03-12T11:37:37.009Z", "dateUpdated": "2026-04-07T18:45:35.370Z"}, "containers": {"cna": {"title": "CVE-2026-3060", "descriptions": [{"lang": "en", "value": "SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "SGLang", "product": "SGLang", "versions": [{"status": "affected", "version": "0.5.10"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "references": [{"url": "https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/disaggregation/encode_receiver.py"}, {"url": "https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/"}, {"url": "https://github.com/sgl-project/sglang/releases/tag/v0.5.10"}, {"url": "https://github.com/sgl-project/sglang/pull/20904"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-3060"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-07T18:45:35.370Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:20:47.695650Z", "id": "CVE-2026-3060", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:21:19.594Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3060", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T14:20:47.695650Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:19:27.200Z"}}], "cna": {"title": "CVE-2026-3060", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "SGLang", "product": "SGLang", "versions": [{"status": "affected", "version": "0.5.10"}]}], "references": [{"url": "https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/disaggregation/encode_receiver.py"}, {"url": "https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/"}, {"url": "https://github.com/sgl-project/sglang/releases/tag/v0.5.10"}, {"url": "https://github.com/sgl-project/sglang/pull/20904"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-3060"}, "descriptions": [{"lang": "en", "value": "SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-07T18:45:35.370Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3060", "state": "PUBLISHED", "dateUpdated": "2026-04-07T18:45:35.370Z", "dateReserved": "2026-02-23T18:17:34.976Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-03-12T11:37:37.009Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lmsys:sglang:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E8F6412-A923-42B6-8A44-ABE6009333E3", "versionEndIncluding": "0.5.9", "versionStartIncluding": "0.5.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication."}, {"lang": "es", "value": "El sistema de desagregaci\u00f3n paralela del codificador de SGLang es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo no autenticada a trav\u00e9s del m\u00f3dulo de desagregaci\u00f3n, que deserializa datos no confiables utilizando pickle.loads() sin autenticaci\u00f3n."}], "id": "CVE-2026-3060", "lastModified": "2026-04-07T19:16:47.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-12T12:15:59.530", "references": [{"source": "cret@cert.org", "tags": ["Product"], "url": "https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/disaggregation/encode_receiver.py"}, {"source": "cret@cert.org", "url": "https://github.com/sgl-project/sglang/pull/20904"}, {"source": "cret@cert.org", "url": "https://github.com/sgl-project/sglang/releases/tag/v0.5.10"}, {"source": "cret@cert.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.5.5,0.5.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "sglang", "vendor": "sglang"}], "analysis": {"en": {"generated_at": "2026-03-17T17:22:50.168435+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s website for updates or patches that remove the insecure pickle.loads usage or replace it with a secure deserialization mechanism.", "If no patch is available, restrict network access to the disaggregation module and ensure that only trusted inputs are processed, or replace pickle.loads with a safe alternative if possible.", "Disable or bypass the disaggregation functionality if it is not required for your deployment to reduce exposure.", "Monitor logs and traffic for anomalous data to detect potential exploitation attempts."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the SGLang framework from the vendor SGLang. No specific version information is provided by the CNA; therefore, all releases that include the disaggregation module are potentially impacted. The vulnerable component is identified by the CPE cpe:2.3:a:lmsys:sglang:*:*:*:*:*:*:*:*.", "description_and_impact": "SGLang\u2019s encoder parallel disaggregation system deserializes untrusted data using pickle.loads() in the disaggregation module without authentication, which allows an attacker to supply malicious payloads. This results in unauthenticated remote code execution, granting full control over affected servers and compromising confidentiality, integrity, and availability. The vulnerability is classified as CWE-502: Deserialization of Untrusted Data.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity. The EPSS score is less than 1%, suggesting a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires an attacker to send crafted data to the disaggregation module, and because it is unauthenticated and exposed over a network-accessible interface, the likely attack vector is remote network-based, inferred from the description."}}}}, "created": "2026-03-13T09:53:17.863097+00:00", "title": "Remote Code Execution via Unauthenticated Pickle Deserialization in SGLang\u2019s Disaggregation Module", "updated": "2026-03-20T15:49:54.774933+00:00", "vendors": ["sglang", "sglang$PRODUCT$sglang"]}