CVE-2026-5760 — SGLang GGUF template RCE

A critical remote code execution vulnerability in SGLang allows attacker- controlled model metadata/template content to execute code when processed by the vulnerable reranking path. CERT/CC published VU#915947 on 2026-04-20, tracking this issue as CVE-2026-5760.

Affected versions

• Vulnerable: SGLang releases before the vendor’s fixed release for CVE-2026-5760
• Fixed: upgrade to the first SGLang release that explicitly includes the CVE-2026-5760 remediation (verify via release notes/advisory)

Indicator-of-exposure

• SGLang service is enabled with reranking/model-loading paths.
• Untrusted or externally sourced GGUF/model artifacts can reach runtime.
• Service is network-reachable from untrusted users.

Quick checks:

python -m pip show sglang
rg -n "rerank|chat_template|GGUF|tokenizer.chat_template" .
ss -lntp | rg ':(30000|8080|80|443)'

Remediation strategy

• Upgrade SGLang to the fixed release.
• Treat model artifacts as untrusted input; allow-list approved model sources.
• Disable or isolate vulnerable endpoints until patch deployment completes.
• Rebuild and redeploy affected inference images after patching.

The prompt

You are remediating CVE-2026-5760 (SGLang GGUF/template RCE). Produce exactly
one output:

- A PR/change request with the patch + compensating controls, or
- TRIAGE.md if a safe patch path is unavailable.

## Rules

- Scope only this CVE.
- Assume model files and template metadata are untrusted.
- Prefer minimal safe version bump to the vendor-fixed SGLang release.
- Do not auto-merge.

## Steps

1. Detect current SGLang version in manifests/lockfiles/container tags.
2. Confirm whether vulnerable model-template processing paths are enabled.
3. Upgrade SGLang to fixed version and regenerate lockfiles/images.
4. Add guardrails in deployment config/docs:
   - only pull models from approved registries/buckets,
   - disable risky endpoints or restrict them behind auth/network policy,
   - capture provenance (digest/signature) for model files.
5. Run tests and service smoke checks.
6. PR title:
   `fix(sec): remediate CVE-2026-5760 in sglang runtime`.

## Stop conditions

- Fixed version not yet available for target platform.
- SGLang not present in this repo/deployment.
- Build/test failures are unrelated and pre-existing.

Verification — what the reviewer looks for

• Dependency/container version now points to a fixed SGLang release.
• Deployment docs/config include model-source trust controls.
• No vulnerable SGLang version remains in lockfile/image bill of materials.

References

• CERT/CC VU#915947: https://kb.cert.org/vuls/id/915947
• NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-5760
• SGLang releases: https://github.com/sgl-project/sglang/releases