The Poisoned Pickle: Critical Unpatched RCE Flaws Expose SGLang AI Infrastructure

Security researchers have issued a warning to the AI development community following the discovery of critical vulnerabilities in SGLang, a popular open-source serving framework for Large Language Models (LLMs). The flaws, which center on the unsafe handling of Python’s “pickle” serialization format, could allow unauthenticated attackers to seize complete control of AI serving infrastructure.

The most severe of these vulnerabilities, tracked as CVE-2026-3059 & CVE-2026-3060, have been assigned a CVSS score of 9.8, marking them as a critical threat to organizations deploying models like DeepSeek, Mistral, and Qwen.

The vulnerability lies within SGLang’s multimodal generation module and its Encoder Parallel Disaggregation system. These systems utilize Python’s pickle module to package and transport data. However, pickle is notoriously insecure when used with untrusted data, as it can be manipulated to execute arbitrary code during the “unpickling” process.

As the security advisory explains:

“An attacker who can send crafted messages to the ZeroMQ interface may trigger unsafe pickle deserialization in SGLang when certain features are enabled, potentially leading to remote code execution.”

By sending a specially crafted “malicious pickle file” to the service’s ZeroMQ interface, an attacker can trigger the vulnerability and execute Python code with the same privileges as the SGLang service.

A secondary vulnerability, CVE-2026-3989, targets the forensics and debugging process. If an administrator attempts to use the replay_request_dump.py script to analyze a malicious crash dump file provided by an attacker, the script will execute the embedded malicious code.

This “replay” attack effectively turns a developer’s own diagnostic tools against them, leading to what researchers describe as potential “host compromise, lateral movement, or data exfiltration”.

In a concerning twist, the advisory notes that during the coordinated disclosure process, “no vendor statement was obtained” and maintainers have not yet responded to a proposed patch.

“It is recommended that project maintainers avoid implementing Pickle functions due to the inherent security risks“.

Until an official patch is merged, organizations using SGLang must take immediate steps to wrap their deployments in protective layers:

• Isolate Interfaces: Ensure that SGLang service interfaces and ZeroMQ endpoints are never exposed to untrusted networks or the public internet.
• Network Segmentation: Implement strict access controls and VPC peering to ensure only authorized internal services can interact with the LLM framework.
• Transition to Safe Formats: Developers are encouraged to migrate projects away from pickle in favor of data-only serialization formats like JSON, XML, or msgpack.