CVE-2026-7669: Deserialization in sgl-project SGLang
CVE-2026-7669 is a medium-severity vulnerability in sgl-project SGLang versions up to 0. 5. 9. It affects the get_tokenizer function in the HuggingFace Transformer Handler component, specifically in the file python/sglang/srt/utils/hf_transformers_utils. py. The vulnerability involves deserialization that can be triggered remotely. Exploitation is considered difficult due to high attack complexity. The vendor has not responded to disclosure attempts, and no patch or official remediation is currently available.
AI Analysis
Technical Summary
This vulnerability in sgl-project SGLang (up to version 0.5.9) involves unsafe deserialization in the get_tokenizer function of the HuggingFace Transformer Handler component. The affected code is located in python/sglang/srt/utils/hf_transformers_utils.py. Remote attackers could potentially exploit this flaw, but the attack complexity is high, making exploitation difficult. No vendor response or patch has been provided as of the publication date.
Potential Impact
Successful exploitation could lead to deserialization-related impacts, which may include unauthorized code execution or data manipulation, but the CVSS score of 6.3 and the vector indicate limited impact with low confidentiality, integrity, and availability impacts. The attack requires no privileges and no user interaction but is difficult to execute due to high complexity. There are no known exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no patch or workaround is available, users should consider avoiding use of affected versions or applying additional controls to limit exposure to this component until a fix is released.
CVE-2026-7669: Deserialization in sgl-project SGLang
Description
CVE-2026-7669 is a medium-severity vulnerability in sgl-project SGLang versions up to 0. 5. 9. It affects the get_tokenizer function in the HuggingFace Transformer Handler component, specifically in the file python/sglang/srt/utils/hf_transformers_utils. py. The vulnerability involves deserialization that can be triggered remotely. Exploitation is considered difficult due to high attack complexity. The vendor has not responded to disclosure attempts, and no patch or official remediation is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in sgl-project SGLang (up to version 0.5.9) involves unsafe deserialization in the get_tokenizer function of the HuggingFace Transformer Handler component. The affected code is located in python/sglang/srt/utils/hf_transformers_utils.py. Remote attackers could potentially exploit this flaw, but the attack complexity is high, making exploitation difficult. No vendor response or patch has been provided as of the publication date.
Potential Impact
Successful exploitation could lead to deserialization-related impacts, which may include unauthorized code execution or data manipulation, but the CVSS score of 6.3 and the vector indicate limited impact with low confidentiality, integrity, and availability impacts. The attack requires no privileges and no user interaction but is difficult to execute due to high complexity. There are no known exploits in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no patch or workaround is available, users should consider avoiding use of affected versions or applying additional controls to limit exposure to this component until a fix is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-02T08:00:13.701Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f6755ecbff5d8610320ee1
Added to database: 5/2/2026, 10:06:22 PM
Last enriched: 5/2/2026, 10:21:18 PM
Last updated: 5/2/2026, 11:17:18 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.