{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3989", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-03-11T16:41:06.512Z", "datePublished": "2026-03-12T11:37:48.314Z", "dateUpdated": "2026-04-07T18:46:48.636Z"}, "containers": {"cna": {"title": "CVE-2026-3989", "descriptions": [{"lang": "en", "value": "SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "SGLang", "product": "SGLang", "versions": [{"status": "affected", "version": "0.5.10"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "references": [{"url": "https://github.com/sgl-project/sglang/blob/main/scripts/playground/replay_request_dump.py"}, {"url": "https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/"}, {"url": "https://github.com/sgl-project/sglang/releases/tag/v0.5.10"}, {"url": "https://github.com/sgl-project/sglang/pull/20904"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-3989"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-07T18:46:48.636Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T18:21:15.871965Z", "id": "CVE-2026-3989", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:21:27.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3989", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T18:21:15.871965Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:20:56.612Z"}}], "cna": {"title": "CVE-2026-3989", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "SGLang", "product": "SGLang", "versions": [{"status": "affected", "version": "0.5.10"}]}], "references": [{"url": "https://github.com/sgl-project/sglang/blob/main/scripts/playground/replay_request_dump.py"}, {"url": "https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/"}, {"url": "https://github.com/sgl-project/sglang/releases/tag/v0.5.10"}, {"url": "https://github.com/sgl-project/sglang/pull/20904"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-3989"}, "descriptions": [{"lang": "en", "value": "SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-07T18:46:48.636Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3989", "state": "PUBLISHED", "dateUpdated": "2026-04-07T18:46:48.636Z", "dateReserved": "2026-03-11T16:41:06.512Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-03-12T11:37:48.314Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script."}, {"lang": "es", "value": "SGLangs 'replay_request_dump.py' contiene un pickle.load() inseguro sin validaci\u00f3n y una deserializaci\u00f3n adecuada. Un atacante puede aprovechar esto al proporcionar un archivo .pkl malicioso, lo que ejecutar\u00e1 el c\u00f3digo del atacante en el dispositivo que ejecuta el script."}], "id": "CVE-2026-3989", "lastModified": "2026-04-07T19:16:47.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-12T12:15:59.630", "references": [{"source": "cret@cert.org", "url": "https://github.com/sgl-project/sglang/blob/main/scripts/playground/replay_request_dump.py"}, {"source": "cret@cert.org", "url": "https://github.com/sgl-project/sglang/pull/20904"}, {"source": "cret@cert.org", "url": "https://github.com/sgl-project/sglang/releases/tag/v0.5.10"}, {"source": "cret@cert.org", "url": "https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.5.5,0.5.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "sglang", "vendor": "sglang"}], "analysis": {"en": {"generated_at": "2026-03-17T17:01:41.678851+00:00", "value": {"mitigation_remediation": ["Update SGLang to the latest version that removes or protects the replay_request_dump.py functionality.", "If an update is not available, modify the script to validate or restrict the data loaded by pickle, or replace it with a safer serialization format such as JSON.", "Restrict execution of replay_request_dump.py to trusted users and run it in isolated environments to limit the impact of a potential exploit.", "Monitor for unexpected execution of the script with .pkl files and audit related logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected vendor: SGLang. Product: SGLang, specifically the replay_request_dump.py script. No precise version information is provided in the CVE data, so any release that includes this script is potentially vulnerable.", "description_and_impact": "The vulnerability resides in SGLang\u2019s replay_request_dump.py script, which performs insecure deserialization by calling pickle.load() on untrusted data without validation. An attacker that can supply a crafted .pkl file to the script can execute arbitrary code on the device running the script, leading to full compromise of confidentiality, integrity, and availability of the affected system. This weakness corresponds to the common weakness classification CWE-502 (Insecure Deserialization).", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1% suggests low likelihood of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector requires an attacker to get the malicious .pkl file processed by the script, which normally runs under the privileges of the user executing it. If the script is executed with elevated or privileged rights, the attacker can gain extensive system control. The exploit path is straightforward: supply a malicious pickle payload, invoke the script, and the payload\u2019s code is executed during deserialization. The vulnerability can be prevented by removing the insecure load or ensuring only trusted data is deserialized."}}}}, "created": "2026-03-13T09:53:16.805964+00:00", "updated": "2026-03-20T15:49:53.865541+00:00", "vendors": ["sglang", "sglang$PRODUCT$sglang"]}