CVE-2026-5760
Analyzed Analyzed - Analysis Complete
Remote Code Execution in SGLang /v1/rerank via Unsafe Jinja2 Template

Publication date: 2026-04-20

Last updated on: 2026-06-03

Assigner: CERT/CC

Description
SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-06-03
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5760
EUVD
EUVD-2026-23860
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lmsys sglang to 0.5.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5760 is a critical Remote Code Execution (RCE) vulnerability in SGLang version 0.5.9. It occurs because the reranking endpoint (/v1/rerank) renders chat templates from model files using an unsandboxed Jinja2 environment. Specifically, the vulnerability arises when a malicious GGUF model file contains a specially crafted tokenizer.chat_template with a Server-Side Template Injection (SSTI) payload.

The reranking endpoint uses jinja2.Environment() without sandboxing or autoescaping, allowing the malicious template to execute arbitrary Python code on the server. When the vulnerable endpoint processes a request with this malicious template, it can run arbitrary OS commands, such as through Python's os.popen(), leading to full remote code execution.

This vulnerability is due to improper neutralization of special elements in the template engine (CWE-1336) and improper control of code generation (CWE-94). A proof-of-concept exploit demonstrates how an attacker can embed a payload in the model file to execute shell commands on the server.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code on the server running the SGLang reranking endpoint. This means an attacker can run any command on the server, potentially leading to full system compromise.

  • Unauthorized access to sensitive data stored or processed by the server.
  • Modification or deletion of critical files and data.
  • Deployment of malware or ransomware on the affected system.
  • Disruption of service by executing destructive commands.

Overall, the vulnerability can lead to severe security breaches, data loss, and operational downtime.

Detection Guidance

This vulnerability can be detected by checking if your SGLang installation is running version 0.5.9 and if the reranking endpoint (/v1/rerank) is in use. Specifically, look for the presence of the vulnerable code in the file python/sglang/srt/entrypoints/openai/serving_rerank.py around lines 128-132 where an unsandboxed jinja2.Environment() is used.

To detect exploitation attempts or presence of malicious model files, you can monitor requests to the /v1/rerank endpoint for suspicious payloads containing the trigger phrase "The answer can only be 'yes' or 'no'" or unusual template content in tokenizer.chat_template fields.

Suggested commands include searching for the vulnerable code pattern in your source code repository or deployed environment:

  • grep -r 'jinja2.Environment()' python/sglang/srt/entrypoints/openai/serving_rerank.py
  • grep -r 'tokenizer.chat_template' /path/to/models/

Additionally, monitoring network traffic or logs for requests to /v1/rerank containing suspicious payloads or unusual commands can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the /v1/rerank endpoint to prevent loading of malicious model files.

Avoid loading untrusted or unauthenticated GGUF model files that may contain malicious tokenizer.chat_template payloads.

If possible, patch the vulnerable code by replacing the unsandboxed jinja2.Environment() with a secure sandboxed environment such as ImmutableSandboxedEnvironment to prevent Server-Side Template Injection (SSTI).

Monitor logs and network traffic for suspicious activity targeting the reranking endpoint.

Consider applying any official patches or updates provided by the SGLang maintainers once available.

Compliance Impact

The CVE-2026-5760 vulnerability enables remote code execution on the SGLang server, which can lead to host compromise, lateral movement within the network, and data exfiltration.

Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and availability.

Exploitation of this vulnerability could expose sensitive personal or health information, violating regulatory requirements and potentially leading to legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart