Critical Security Vulnerability in SGLang Framework Could Lead to Remote Code Execution via Malicious GGUF Models

A critical security flaw has been identified in SGLang, a high-performance open-source serving framework designed for large language models (LLMs) and multimodal models, which could allow unauthorized attackers to execute arbitrary code on targeted servers. The vulnerability, officially designated as CVE-2026-5760, has been assigned a CVSS (Common Vulnerability Scoring System) base score of 9.8 out of 10.0, categorizing it as "Critical." This vulnerability stems from a command injection weakness that manifests during the processing of specific model files, potentially granting an attacker full control over the underlying infrastructure hosting the SGLang service.

SGLang has gained significant traction within the artificial intelligence and machine learning communities due to its ability to provide high-throughput serving capabilities. As of the time of the disclosure, the project’s official GitHub repository has garnered over 26,100 stars and has been forked more than 5,500 times, highlighting its widespread adoption in both research and production environments. The discovery of such a severe flaw in a foundational piece of AI infrastructure underscores the growing security challenges associated with the rapid deployment of large-scale language model services.

Technical Analysis of CVE-2026-5760

The vulnerability resides within the framework’s reranking endpoint, located at /v1/rerank. According to an advisory released by the CERT Coordination Center (CERT/CC), the flaw allows for the execution of arbitrary Python code when the server processes a specially crafted GPT-Generated Unified Format (GGUF) model file. GGUF is a popular binary format used for distributing LLMs, designed to be efficient and extensible, succeeding the earlier GGML format.

The exploit mechanism involves a Server-Side Template Injection (SSTI) attack. SSTI occurs when an application embeds user-controlled input into a template before it is rendered by a template engine. In the case of SGLang, the vulnerability is triggered by a malicious GGUF model file containing a manipulated tokenizer.chat_template parameter. This parameter is intended to define how conversation histories are formatted for the model, but in this instance, it is used to carry a Jinja2 template injection payload.

Security researcher Stuart Beck, who is credited with discovering and reporting the flaw, noted that the root cause is the framework’s use of the jinja2.Environment() function without adequate sandboxing. Specifically, the framework failed to utilize the ImmutableSandboxedEnvironment class provided by the Jinja2 library. By using the standard, non-sandboxed environment, SGLang allows the template engine to access sensitive Python built-ins and libraries, which an attacker can then leverage to execute system-level commands.

The Attack Vector and Exploitation Path

The exploitation of CVE-2026-5760 follows a sophisticated yet direct path that leverages the trust inherent in model distribution. The sequence of events typically unfolds as follows:

1. Preparation of the Malicious Model: An attacker creates or modifies a GGUF model file. Within the metadata of this file, the tokenizer.chat_template field is injected with a malicious Jinja2 payload. This payload is designed to bypass standard restrictions and execute Python’s os or subprocess modules.
2. Distribution: The attacker distributes this "poisoned" model through public repositories, community forums, or direct social engineering. Given the collaborative nature of the AI community, users frequently download pre-trained models from third-party sources to save on computational costs.
3. Loading the Model: A victim, running an instance of SGLang, downloads and loads the malicious GGUF model into the server. At this stage, the server is "primed" for exploitation, but the code has not yet executed.
4. Triggering the Payload: The final stage occurs when a request is made to the /v1/rerank endpoint. The SGLang service attempts to render the chat template associated with the loaded model to process the request. Because the template contains the SSTI payload and the environment is not sandboxed, the malicious Python code is executed in the context of the SGLang service.

The result is Remote Code Execution (RCE), which allows the attacker to perform any action the SGLang service has permissions for. This could include stealing sensitive data, exfiltrating proprietary model weights, pivoting to other parts of the internal network, or deploying ransomware.

Chronology of Disclosure and Industry Context

The disclosure of CVE-2026-5760 follows a timeline that highlights the difficulties in coordinating security patches within fast-moving open-source projects.

• Discovery: The vulnerability was identified by Stuart Beck during a security audit of LLM serving frameworks.
• Reporting: The flaw was reported to the SGLang maintainers and coordinated through CERT/CC to ensure a structured disclosure process.
• Advisory Release: On April 20, 2026, CERT/CC released a public advisory (VU#915947) detailing the vulnerability and its potential impact.
• Current Status: Alarmingly, the advisory noted that "no response or patch was obtained during the coordination process." This means that as of the public disclosure date, the vulnerability may remain unaddressed in the official SGLang codebase, leaving users at immediate risk.

CVE-2026-5760 is not an isolated incident but rather part of a broader trend of vulnerabilities affecting AI infrastructure. It falls into the same category as CVE-2024-34359, popularly known as "Llama Drama," which affected the llama_cpp_python package. Llama Drama similarly allowed for RCE through malicious Jinja2 templates in model files and carried a CVSS score of 9.7. Furthermore, late in 2025, the vLLM framework addressed a comparable attack surface tracked as CVE-2025-61620.

The recurrence of these vulnerabilities suggests a systemic oversight in how AI serving frameworks handle model metadata. Developers often focus on the performance and accuracy of the inference engine while overlooking the security implications of the "auxiliary" data—like tokenizers and templates—that accompany the models.

Supporting Data and Security Implications

The critical nature of this flaw is underscored by the high CVSS score of 9.8. The score is calculated based on several factors:

• Attack Vector: Network (the exploit can be triggered remotely over the internet).
• Attack Complexity: Low (once a model is loaded, a simple API call triggers the flaw).
• Privileges Required: None (no authentication is necessarily required to hit the rerank endpoint in many default configurations).
• User Interaction: Required (a user must be convinced to load the malicious model).
• Impact: High (complete compromise of confidentiality, integrity, and availability).

The AI industry relies heavily on "Model Hubs" and open-source repositories. Data from cybersecurity firms indicates that supply chain attacks targeting these hubs are on the rise. By poisoning a popular model or a variant of a well-known model (such as a specific fine-tune of Llama or Mistral), an attacker can potentially compromise hundreds of downstream servers.

In the context of SGLang, the /v1/rerank endpoint is a critical component for applications utilizing Retrieval-Augmented Generation (RAG). RAG is currently the industry standard for reducing hallucinations in LLMs by providing the model with relevant external data. Reranking is the process of sorting that external data to find the most relevant snippets. Because RAG is so widely used in enterprise AI applications—from customer service bots to internal knowledge bases—the potential "blast radius" of CVE-2026-5760 is substantial.

Official Recommendations and Mitigation Strategies

In the absence of an official patch from the SGLang maintainers at the time of disclosure, CERT/CC and security researchers have provided clear guidance for mitigation.

The primary technical recommendation for developers is to transition from jinja2.Environment() to jinja2.sandbox.ImmutableSandboxedEnvironment(). The sandboxed environment in Jinja2 is specifically designed to prevent the execution of unsafe code by restricting access to sensitive attributes and methods. By making the environment "Immutable," developers can further ensure that the configuration cannot be altered at runtime to bypass security checks.

For organizations and individual users currently deploying SGLang, the following steps are recommended:

1. Vet Model Sources: Only download and load GGUF models from highly trusted, verified sources. Avoid using models from unknown contributors or unverified repositories on public hubs.
2. Audit Model Metadata: Before loading a model, use tools to inspect the metadata, specifically the tokenizer.chat_template field, for suspicious Python-like syntax or references to modules like os, subprocess, or sys.
3. Network Segmentation: Ensure that SGLang servers are isolated within the network. Use firewalls to restrict access to the /v1/rerank and other API endpoints to only known, authorized clients.
4. Run with Least Privilege: Execute the SGLang service under a dedicated, non-privileged user account. This limits the potential damage an attacker can do if they successfully achieve code execution.
5. Monitor for Anomalies: Implement robust logging and monitoring to detect unusual outbound network connections or unexpected process spikes on the serving infrastructure, which could indicate a successful breach.

Broader Impact on the AI Ecosystem

The discovery of CVE-2026-5760 serves as a stark reminder that the AI "stack" is subject to the same security rigors as traditional software. As LLMs become more integrated into critical business logic, the frameworks that serve them become high-value targets for threat actors.

The reliance on Jinja2 for prompt formatting and chat templating has created a recurring vulnerability pattern across the industry. This suggests a need for more secure-by-default standards in how models are packaged and how frameworks interpret their metadata. There is an ongoing discussion within the AI security community regarding the development of "safe" model formats that do not allow for the inclusion of executable scripts or complex templates that require powerful engines like Jinja2.

Furthermore, the "no response" status from the maintainers during the coordination phase highlights a potential crisis in open-source AI sustainability. Many critical frameworks are maintained by small teams or individual researchers who may lack the resources to respond rapidly to complex security disclosures. As these tools become infrastructure for multi-billion dollar enterprises, the gap between project resources and security requirements becomes increasingly dangerous.

In conclusion, CVE-2026-5760 is a significant vulnerability that demands immediate attention from anyone utilizing the SGLang framework. While the performance benefits of such frameworks are undeniable, they must not come at the cost of fundamental system security. The industry must move toward a model of "Security by Design," ensuring that the tools used to power the next generation of artificial intelligence are resilient against both traditional and AI-specific attack vectors.