Orca Security discovered multiple unsafe deserialization vulnerabilities in SGLang, a widely-adopted open-source framework for serving large language models and multimodal AI models. The findings were coordinated through CERT/CC (case VU#665416). Two CVEs — CVE-2026-3059 and CVE-2026-3060 — allow unauthenticated remote code execution against any SGLang deployment that exposes its multimodal generation or disaggregation endpoints.
The root cause is Python's pickle module being used to deserialize untrusted data arriving over the network. Pickle deserialization is inherently unsafe: a crafted payload can execute arbitrary code on the host at the moment of deserialization — no authentication required. Any network-reachable SGLang endpoint is exploitable. A patch has been proposed but is not yet merged into the main branch.
SGLang is deployed in enterprise GPU clusters for production model inference. A successful exploit gives an attacker unauthenticated code execution on the inference host — meaning access to model weights, any data in context windows, GPU resources, and lateral movement into the broader cluster network.
Immediate recommendation: Restrict network access to SGLang endpoints to trusted hosts only (firewall/VPC isolation); do not expose SGLang's multimodal or disaggregation ports to untrusted networks until a patch is released and merged.