CVE-2026-7304: The SGLang RCE That Exposed AI Inference Servers — aniketkarneai.com | aniketkarneai.com
daily

CVE-2026-7304: The SGLang RCE That Exposed AI Inference Servers

A critical unauthenticated remote code execution vulnerability in SGLang's multimodal runtime scored CVSS 9.8 — because one Python function, dill.loads(), turned inference servers into attack surfaces.

SGLang has become one of the most widely deployed LLM inference frameworks behind production systems at a significant fraction of AI companies. Its RadixAttention prefix caching and structured generation primitives make it a favourite for low-latency, high-throughput serving. So when a vulnerability in SGLang’s multimodal runtime earns a CVSS 9.8 score — critical, maximum severity — the entire AI infrastructure community should pay attention.

The Vulnerability: dill.loads() in the Hot Path

CVE-2026-7304 was disclosed in May 2026 and assigned a CVE ID on May 18. It affects SGLang’s multimodal generation runtime when the --enable-custom-logit-processor flag is enabled. The root cause is straightforward and damning: the server deserialises untrusted data through Python’s dill.loads() without any authentication or validation.

dill is a library that serialises and deserialises Python objects to/from bytes, similar to pickle but with broader scope — it can serialise closures, nested functions, and lambda expressions. Unlike pickle, dill is explicitly documented as unsafe for untrusted input. dill.loads() can execute arbitrary code during deserialisation. If an attacker can send a crafted serialised object to a SGLang server running with the custom logit processor enabled, they get RCE — no username, no password, no authentication token.

The attack surface is the custom logit processor interface, which is a legitimate extensibility point. Inference servers need to plug in custom logit manipulation — temperature scaling, top-p truncation, repeat penalty — so this is a feature, not an obscure code path. The problem is that the feature was designed without treating the serialised payload as a security boundary.

Why Inference Servers Are High-Value Targets

LLM inference servers are uniquely attractive targets for attackers. They run on GPU hardware, often have direct access to internal APIs, frequently sit behind authentication proxies but not always, and process sensitive data. Compromising an inference server doesn’t just give you a shell — it gives you the model’s context window, which may contain proprietary code, internal documents, or conversation history from hundreds of users.

In SGLang’s case, the server is multi-tenant by design: a single instance handles requests from many users. A successful exploit means the attacker can run arbitrary code as the process owner, read all active KV cache entries, and potentially pivot to other services in the same network namespace.

The vulnerability only triggers when --enable-custom-logit-processor is explicitly enabled, which limits exposure to operators who have intentionally turned on this experimental feature. But the feature exists precisely because production deployments need custom logit processing — so it won’t be a rare configuration.

What the CVSS 9.8 Actually Means

The Common Vulnerability Scoring System rates from 0 to 10. A 9.8 is reserved for vulnerabilities that are trivially exploitable, require no privileges, and result in total compromise. The breakdown:

  • Attack vector: Network (remotely exploitable, no physical access needed)
  • Attack complexity: Low (no special conditions beyond the flag being enabled)
  • Privileges required: None (no account needed)
  • User interaction: None (exploits without any human involvement)
  • Scope: Changed (the vulnerable component can compromise other system components)
  • Impact: Complete confidentiality, integrity, and availability compromise

This is as close to a “drop the server” vulnerability as the industry produces.

The Patch and Mitigations

The official mitigation is to upgrade to a patched SGLang version and to avoid running with --enable-custom-logit-processor in untrusted network environments. The CERT/CC vulnerability note VU#777338 documents three SGLang vulnerabilities from this disclosure window: two RCEs and one path traversal.

For operators who cannot patch immediately, the immediate mitigation is network-level access control: restrict the SGLang API port to trusted IPs only, ideally within a VPC with no direct internet exposure. The vulnerability is unauthenticated — any network caller who reaches the endpoint can exploit it.

For teams using SGLang in multi-tenant or customer-facing deployments, this is a mandatory upgrade, not a “schedule it next sprint” item.

What This Tells Us About AI Infrastructure Security

The SGLang RCE is the third significant security disclosure in the LLM inference stack in 2026 alone — following Orca Security’s February disclosures of CVE-2026-3059 and CVE-2026-3060, also RCEs in SGLang’s codebase. Inference servers are being stress-tested in production at scale, and the security bar for code that runs with GPU access and network exposure is still catching up to the deployment pace.

The deeper pattern is that AI infrastructure is assembling itself from the same Python ecosystem that has produced decades of deserialisation vulnerabilities. dill is not obscure — it has 7.5k GitHub stars and is widely used in ML pipelines for checkpoint serialisation and distributed training. The lesson isn’t “don’t use dill” — it’s that any code path that deserialises untrusted input needs to be treated as a security boundary, regardless of how innocent the serialisation library looks.

For teams building multi-agent systems, the inference server is a trusted component in your attack surface. Even if your agent framework is airtight, the serving layer underneath it can open a direct code execution path. SGLang’s adoption is a testament to its engineering — but its security surface is now a known quantity that needs active management.

Indicators of Compromise

If you’re running SGLang and want to check for exploitation attempts, look for:

  • Unexpected inbound connections to the API port from untrusted IPs
  • Unusual serialised Python objects in logit processor request payloads
  • Processes spawning shell commands on the inference host that weren’t initiated by your serving code
  • SGLang logs showing requests to the custom logit processor endpoint from sources you don’t recognise

The vulnerability has been publicly disclosed and exploited in proof-of-concept form. If your SGLang instance is internet-facing with --enable-custom-logit-processor enabled, treat it as compromised until proven otherwise.


The AI infrastructure stack is young and moving fast. SGLang is a genuinely impressive piece of engineering — the team behind it has shipped one of the fastest inference servers available. But production-grade AI serving means taking security as seriously as performance, because the cost of a breach isn’t just a server — it’s every conversation that server ever processed.

Aniket Karne
DevOps & AI Engineer · Amsterdam
Back to all posts