CVE-2026-5760 — SGLang GGUF template RCE
A critical remote code execution vulnerability in SGLang allows attacker- controlled model metadata/template content to execute code when processed by the vulnerable reranking path. CERT/CC published VU#915947 on 2026-04-20, tracking this issue as CVE-2026-5760. The public advisories checked on 2026-05-02 describe mitigation/workaround guidance; do not assume a fixed upstream release exists unless the SGLang release notes or advisory explicitly say so.
When to use it
- A repository builds or deploys SGLang inference, rerank, or model-loading services.
- GGUF/model artifacts, tokenizer templates, or model metadata can come from users, automation, shared buckets, registries, or external providers.
- Rerank/model-loading endpoints are reachable by untrusted users or workflows.
- You need a bounded PR or triage note that upgrades SGLang and locks down model-source trust.
Inputs
- Python manifests, lockfiles, container tags, model-serving charts, deployment manifests, cached wheel layers, SBOMs, and generated reports.
- Rerank endpoint config, model-loading paths, approved model registries or buckets, digest/signature policy, and network/auth controls.
- Available tests, service smoke checks, image build, deployment render, SBOM, model provenance checks, and dependency/security scan commands.
Affected versions
- Vulnerable: SGLang builds whose
/v1/rerankpath renders model-supplied chat templates with unsandboxedjinja2.Environment(); public reporting names SGLang0.5.9and earlier. - Fixed: no verified upstream fixed release was identified in the sources checked on 2026-05-02. Treat a later release as fixed only if its release notes or advisory explicitly mention CVE-2026-5760 or the sandboxed-template change.
Indicator-of-exposure
- SGLang service is enabled with reranking/model-loading paths.
- Untrusted or externally sourced GGUF/model artifacts can reach runtime.
- Service is network-reachable from untrusted users.
Quick checks:
python -m pip show sglang
rg -n "rerank|chat_template|GGUF|tokenizer.chat_template" .
ss -lntp | rg ':(30000|8080|80|443)'
Remediation strategy
- Upgrade SGLang when a verified fixed release is available.
- Until then, patch the affected code path to use a sandboxed Jinja2
environment such as
ImmutableSandboxedEnvironment, or disable/v1/rerank. - Treat model artifacts as untrusted input; allow-list approved model sources.
- Disable or isolate vulnerable endpoints until patch deployment completes.
- Rebuild and redeploy affected inference images after patching.
The prompt
You are remediating CVE-2026-5760 (SGLang GGUF/template RCE). Produce exactly
one output:
- A PR/change request with the patch + compensating controls, or
- TRIAGE.md if a safe patch path is unavailable.
## Rules
- Scope only this CVE.
- Assume model files and template metadata are untrusted.
- Prefer a verified vendor-fixed SGLang release if one exists; otherwise apply
the sandboxed-template mitigation and isolate the endpoint.
- Do not auto-merge.
## Steps
1. Detect current SGLang version in manifests/lockfiles/container tags.
2. Confirm whether vulnerable model-template processing paths are enabled.
3. If a fixed SGLang release is available, upgrade and regenerate
lockfiles/images. If not, patch the vulnerable template-rendering path to
use `ImmutableSandboxedEnvironment` or disable the rerank endpoint.
4. Add guardrails in deployment config/docs:
- only pull models from approved registries/buckets,
- disable risky endpoints or restrict them behind auth/network policy,
- capture provenance (digest/signature) for model files.
5. Run tests and service smoke checks.
6. PR title:
`fix(sec): remediate CVE-2026-5760 in sglang runtime`.
## Stop conditions
- No verified fixed release is available and local patching/endpoint isolation
cannot be safely applied.
- SGLang not present in this repo/deployment.
- Build/test failures are unrelated and pre-existing.
Verification — what the reviewer looks for
- Dependency/container version points to a verified fixed SGLang release, or the vulnerable template-rendering path has been patched/disabled.
- Deployment docs/config include model-source trust controls.
- No vulnerable SGLang version remains in lockfile/image bill of materials.
Output contract
- Reviewer-ready PR upgrading SGLang to the vendor-fixed release and refreshing lockfiles, images, cached wheels, SBOMs, and deployment manifests.
- Deployment guardrails for approved model sources, digest/signature provenance, endpoint auth/network policy, and staged-rollout containment.
- Safe smoke checks that verify fixed versions and source policy without loading untrusted GGUF/model artifacts.
TRIAGE.mdwhen no fixed release exists for the platform or the inference runtime is outside repository ownership.
Watch for
- Upgrading Python manifests while an inference image, model-serving chart, or cached wheel layer still installs the affected SGLang release.
- Treating model files as trusted because they came from an internal bucket that many users or automation jobs can write to.
- Leaving rerank/model-loading endpoints reachable during a staged rollout without authentication, network policy, or source allow-listing.
- Smoke tests that load untrusted GGUF/model artifacts instead of checking package versions, approved source policy, and endpoint containment.
Related recipes
- CVE-2025-49596 MCP Inspector proxy RCE
- Source code supply-chain build integrity audit
- CVE intelligence intake gate
References
- CERT/CC VU#915947: https://kb.cert.org/vuls/id/915947
- NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-5760
- SGLang releases: https://github.com/sgl-project/sglang/releases