CVE-2026-7669
Deferred Deferred - Pending Action
Remote Code Execution in SGLang via Deserialization

Publication date: 2026-05-02

Last updated on: 2026-05-04

Assigner: VulDB

Description
A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation of the argument trust_remote_code with the input False as part of Boolean results in code injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. In get_tokenizer(), when the caller passes trust_remote_code=False and HuggingFace transformers v5 returns a TokenizersBackend instance (the generic fallback for tokenizer classes not in the registry), SGLang silently re-invokes AutoTokenizer.from_pretrained with trust_remote_code=True, overriding the caller's explicit security setting. A model repository containing a malicious tokenizer.py referenced via auto_map in tokenizer_config.json will execute arbitrary Python in the SGLang process during this second call. No log line or warning is emitted. The override affects all current SGLang versions because transformers==5.3.0 is pinned in pyproject.toml. Both tokenizer_mode="auto" and tokenizer_mode="slow" are affected. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-04
Generated
2026-05-07
AI Q&A
2026-05-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-7669
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sgl-project sglang to 0.5.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the sgl-project SGLang up to version 0.5.9, specifically in the get_tokenizer function within the HuggingFace Transformer Handler component. The issue involves deserialization manipulation, which can be exploited remotely. The attack requires a high level of complexity and is considered difficult to execute.


How can this vulnerability impact me? :

Exploitation of this vulnerability can lead to partial confidentiality, integrity, and availability impacts. Since the vulnerability involves deserialization manipulation, an attacker could potentially execute unauthorized actions remotely, affecting the system's data and operations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart