PatchSiren cyber security CVE debrief
CVE-2026-14890 SGLang CVE debrief
CVE-2026-14890 is a critical vulnerability in SGLang's expert-parallel backup subsystem. The subsystem exposes a ZeroMQ PULL socket on a routable network interface without authentication or deserialization safeguards. This allows an attacker to provide a malicious pickle file, resulting in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network. Organizations using SGLang with the expert-parallel backup feature enabled should prioritize patching. Network administrators and security teams should assess their exposure and implement compensating controls if necessary.
- Vendor
- SGLang
- Product
- Unknown
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Organizations using SGLang with the expert-parallel backup feature enabled should prioritize patching. Network administrators and security teams should assess their exposure and implement compensating controls if necessary. SGLang users with the expert-parallel backup feature enabled are at risk of unauthenticated remote code execution.
Technical summary
The vulnerability exists in SGLang's expert-parallel backup subsystem, which exposes a ZeroMQ PULL socket without authentication or deserialization safeguards. An attacker can exploit this by providing a malicious pickle file, leading to unauthenticated remote code execution when the feature is enabled and the service is network-reachable. The expert-parallel backup feature in SGLang is exposed on a routable network interface without authentication or deserialization safeguards.
Defensive priority
High priority should be given to patching SGLang installations with the expert-parallel backup feature enabled. In the absence of a patch, consider disabling the feature or restricting network access to the service.
Recommended defensive actions
- Apply the vendor's official patch as soon as available.
- Disable the expert-parallel backup feature if not in use.
- Restrict network access to the ZeroMQ PULL socket.
- Monitor for suspicious activity related to SGLang services.
- Inventory SGLang installations and assess exposure.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-16T16:19:00.413Z and last modified on 2026-07-16T19:16:44.403Z. The NVD entry is currently Awaiting Analysis. References include CERT and GitHub links. The expert-parallel backup feature in SGLang is exposed on a routable network interface without authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file. This results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network. The vulnerability exists in SGLang's expert-parallel backup subsystem. The CVE record was last modified on 2026-07-16T19:16:44.403Z.
Official resources
-
CVE-2026-14890 CVE record
CVE.org
-
CVE-2026-14890 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T16:19:00.413Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.