Orca Security researchers discovered multiple unauthenticated remote code execution vulnerabilities in SGLang, a widely-used open-source framework for serving large language models and multimodal AI models. CVE-2026-3060 affects SGLang's encoder parallel disaggregation system. The findings were coordinated through CERT/CC (case VU#665416). At time of publication, SGLang maintainers had not responded to disclosure efforts and no official patch is available.
SGLang's encoder disaggregation system deserializes inter-process communication data using Python's pickle.loads() without authentication. Any attacker with network access to the exposed ZMQ endpoint can send a crafted pickle payload and achieve arbitrary code execution on the host running the SGLang server. No credentials or prior access required.
Any AI agent infrastructure, inference cluster, or RAG pipeline built on SGLang is at full compromise risk if the framework port is reachable from an untrusted network. Given that SGLang is deployed in enterprise ML inference environments handling sensitive model weights and data, blast radius includes model exfiltration, lateral movement, and persistent access to the inference stack.
Immediate recommendation: Firewall SGLang ports (block all external access to ZMQ broker and disaggregation endpoints) and audit whether any SGLang instance is internet- or network-exposed until an official patch ships.