CVE-2026-5760 — SGLang GGUF template RCE

A critical remote code execution vulnerability in SGLang allows attacker- controlled model metadata/template content to execute code when processed by the vulnerable reranking path. CERT/CC published VU#915947 on 2026-04-20, tracking this issue as CVE-2026-5760. The public advisories checked on 2026-05-02 describe mitigation/workaround guidance; do not assume a fixed upstream release exists unless the SGLang release notes or advisory explicitly say so.

When to use it

  • A repository builds or deploys SGLang inference, rerank, or model-loading services.
  • GGUF/model artifacts, tokenizer templates, or model metadata can come from users, automation, shared buckets, registries, or external providers.
  • Rerank/model-loading endpoints are reachable by untrusted users or workflows.
  • You need a bounded PR or triage note that upgrades SGLang and locks down model-source trust.

Inputs

  • Python manifests, lockfiles, container tags, model-serving charts, deployment manifests, cached wheel layers, SBOMs, and generated reports.
  • Rerank endpoint config, model-loading paths, approved model registries or buckets, digest/signature policy, and network/auth controls.
  • Available tests, service smoke checks, image build, deployment render, SBOM, model provenance checks, and dependency/security scan commands.

Affected versions

  • Vulnerable: SGLang builds whose /v1/rerank path renders model-supplied chat templates with unsandboxed jinja2.Environment(); public reporting names SGLang 0.5.9 and earlier.
  • Fixed: no verified upstream fixed release was identified in the sources checked on 2026-05-02. Treat a later release as fixed only if its release notes or advisory explicitly mention CVE-2026-5760 or the sandboxed-template change.

Indicator-of-exposure

  • SGLang service is enabled with reranking/model-loading paths.
  • Untrusted or externally sourced GGUF/model artifacts can reach runtime.
  • Service is network-reachable from untrusted users.

Quick checks:

python -m pip show sglang
rg -n "rerank|chat_template|GGUF|tokenizer.chat_template" .
ss -lntp | rg ':(30000|8080|80|443)'

Remediation strategy

  • Upgrade SGLang when a verified fixed release is available.
  • Until then, patch the affected code path to use a sandboxed Jinja2 environment such as ImmutableSandboxedEnvironment, or disable /v1/rerank.
  • Treat model artifacts as untrusted input; allow-list approved model sources.
  • Disable or isolate vulnerable endpoints until patch deployment completes.
  • Rebuild and redeploy affected inference images after patching.

The prompt

You are remediating CVE-2026-5760 (SGLang GGUF/template RCE). Produce exactly
one output:

- A PR/change request with the patch + compensating controls, or
- TRIAGE.md if a safe patch path is unavailable.

## Rules

- Scope only this CVE.
- Assume model files and template metadata are untrusted.
- Prefer a verified vendor-fixed SGLang release if one exists; otherwise apply
  the sandboxed-template mitigation and isolate the endpoint.
- Do not auto-merge.

## Steps

1. Detect current SGLang version in manifests/lockfiles/container tags.
2. Confirm whether vulnerable model-template processing paths are enabled.
3. If a fixed SGLang release is available, upgrade and regenerate
   lockfiles/images. If not, patch the vulnerable template-rendering path to
   use `ImmutableSandboxedEnvironment` or disable the rerank endpoint.
4. Add guardrails in deployment config/docs:
   - only pull models from approved registries/buckets,
   - disable risky endpoints or restrict them behind auth/network policy,
   - capture provenance (digest/signature) for model files.
5. Run tests and service smoke checks.
6. PR title:
   `fix(sec): remediate CVE-2026-5760 in sglang runtime`.

## Stop conditions

- No verified fixed release is available and local patching/endpoint isolation
  cannot be safely applied.
- SGLang not present in this repo/deployment.
- Build/test failures are unrelated and pre-existing.

Verification — what the reviewer looks for

  • Dependency/container version points to a verified fixed SGLang release, or the vulnerable template-rendering path has been patched/disabled.
  • Deployment docs/config include model-source trust controls.
  • No vulnerable SGLang version remains in lockfile/image bill of materials.

Output contract

  • Reviewer-ready PR upgrading SGLang to the vendor-fixed release and refreshing lockfiles, images, cached wheels, SBOMs, and deployment manifests.
  • Deployment guardrails for approved model sources, digest/signature provenance, endpoint auth/network policy, and staged-rollout containment.
  • Safe smoke checks that verify fixed versions and source policy without loading untrusted GGUF/model artifacts.
  • TRIAGE.md when no fixed release exists for the platform or the inference runtime is outside repository ownership.

Watch for

  • Upgrading Python manifests while an inference image, model-serving chart, or cached wheel layer still installs the affected SGLang release.
  • Treating model files as trusted because they came from an internal bucket that many users or automation jobs can write to.
  • Leaving rerank/model-loading endpoints reachable during a staged rollout without authentication, network policy, or source allow-listing.
  • Smoke tests that load untrusted GGUF/model artifacts instead of checking package versions, approved source policy, and endpoint containment.

References