CVE-2026-5760
Remote Code Execution in SGLang /v1/rerank via Unsafe Jinja2 Template
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stuub | sglang | 0.5.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5760 is a critical Remote Code Execution (RCE) vulnerability in SGLang version 0.5.9. It occurs because the reranking endpoint (/v1/rerank) renders chat templates from model files using an unsandboxed Jinja2 environment. Specifically, the vulnerability arises when a malicious GGUF model file contains a specially crafted tokenizer.chat_template with a Server-Side Template Injection (SSTI) payload.
The reranking endpoint uses jinja2.Environment() without sandboxing or autoescaping, allowing the malicious template to execute arbitrary Python code on the server. When the vulnerable endpoint processes a request with this malicious template, it can run arbitrary OS commands, such as through Python's os.popen(), leading to full remote code execution.
This vulnerability is due to improper neutralization of special elements in the template engine (CWE-1336) and improper control of code generation (CWE-94). A proof-of-concept exploit demonstrates how an attacker can embed a payload in the model file to execute shell commands on the server.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary code on the server running the SGLang reranking endpoint. This means an attacker can run any command on the server, potentially leading to full system compromise.
- Unauthorized access to sensitive data stored or processed by the server.
- Modification or deletion of critical files and data.
- Deployment of malware or ransomware on the affected system.
- Disruption of service by executing destructive commands.
Overall, the vulnerability can lead to severe security breaches, data loss, and operational downtime.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your SGLang installation is running version 0.5.9 and if the reranking endpoint (/v1/rerank) is in use. Specifically, look for the presence of the vulnerable code in the file python/sglang/srt/entrypoints/openai/serving_rerank.py around lines 128-132 where an unsandboxed jinja2.Environment() is used.
To detect exploitation attempts or presence of malicious model files, you can monitor requests to the /v1/rerank endpoint for suspicious payloads containing the trigger phrase "The answer can only be 'yes' or 'no'" or unusual template content in tokenizer.chat_template fields.
Suggested commands include searching for the vulnerable code pattern in your source code repository or deployed environment:
- grep -r 'jinja2.Environment()' python/sglang/srt/entrypoints/openai/serving_rerank.py
- grep -r 'tokenizer.chat_template' /path/to/models/
Additionally, monitoring network traffic or logs for requests to /v1/rerank containing suspicious payloads or unusual commands can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the /v1/rerank endpoint to prevent loading of malicious model files.
Avoid loading untrusted or unauthenticated GGUF model files that may contain malicious tokenizer.chat_template payloads.
If possible, patch the vulnerable code by replacing the unsandboxed jinja2.Environment() with a secure sandboxed environment such as ImmutableSandboxedEnvironment to prevent Server-Side Template Injection (SSTI).
Monitor logs and network traffic for suspicious activity targeting the reranking endpoint.
Consider applying any official patches or updates provided by the SGLang maintainers once available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-5760 vulnerability enables remote code execution on the SGLang server, which can lead to host compromise, lateral movement within the network, and data exfiltration.
Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and availability.
Exploitation of this vulnerability could expose sensitive personal or health information, violating regulatory requirements and potentially leading to legal and financial consequences.