CVE-2026-10300: SGLang 0.5.10.post1 RCE Vulnerability

CVE-2026-10300 Overview

CVE-2026-10300 is a reachable assertion vulnerability in SGLang version 0.5.10.post1, an inference serving framework for large language models. The flaw resides in the python/sglang/srt/lora/lora_manager.py file within the Inference HTTP Endpoint component. Attackers can manipulate the lora_path argument to trigger an assertion failure, leading to a limited denial-of-service condition. The vulnerability is exploitable remotely over the network without authentication, though successful exploitation requires high attack complexity. The exploit has been publicly disclosed, and a pull request to address the issue is pending acceptance by maintainers. This vulnerability is classified under [CWE-617] Reachable Assertion.

Critical Impact

Remote attackers can trigger an assertion failure in the SGLang inference HTTP endpoint by manipulating the lora_path argument, causing limited availability impact to LoRA-enabled model serving.

Affected Products

• SGLang 0.5.10.post1
• SGLang LoRA Manager component (python/sglang/srt/lora/lora_manager.py)
• SGLang Inference HTTP Endpoint

Discovery Timeline

• 2026-06-01 - CVE-2026-10300 published to NVD
• 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-10300

Vulnerability Analysis

The vulnerability exists in SGLang's LoRA (Low-Rank Adaptation) manager, which handles dynamic loading of adapter weights for large language model inference. The Inference HTTP Endpoint accepts a lora_path argument from clients without sufficient validation. When the supplied value reaches the LoRA manager logic, it triggers a Python assertion that was intended as an internal invariant check rather than a user-facing validation boundary.

Reachable assertions in production code paths permit external input to violate developer assumptions. The assertion failure terminates the request handling logic, degrading availability of the inference service for LoRA-based workloads. The EPSS score of 0.047% reflects the high attack complexity and limited impact scope.

Root Cause

The root cause is improper input validation in the LoRA path handling logic. The code uses assert statements to enforce conditions on data that originates from untrusted HTTP requests. According to [CWE-617], assertions should never be reachable through external input because they are intended for development-time invariant checking and produce uncontrolled error states when triggered at runtime.

Attack Vector

An unauthenticated remote attacker sends a crafted HTTP request to the SGLang inference endpoint with a malformed or unexpected lora_path value. The attack requires the attacker to satisfy specific preconditions in the LoRA manager state, which contributes to the high attack complexity rating. Successful exploitation produces an assertion failure that disrupts the affected request handler. No code execution, data disclosure, or integrity impact results from this flaw. Technical details are available in the GitHub Issue Report and the pending pull request.

Detection Methods for CVE-2026-10300

Indicators of Compromise

• Unexpected AssertionError exceptions in SGLang application logs originating from lora_manager.py
• HTTP requests to inference endpoints containing unusual or malformed lora_path parameter values
• Repeated request failures or worker restarts correlated with LoRA adapter loading operations
• Sudden drops in availability of LoRA-enabled inference endpoints

Detection Strategies

• Monitor SGLang server logs for assertion failures tied to LoRA path processing
• Inspect inbound HTTP traffic to inference APIs for anomalous lora_path values that deviate from expected adapter naming patterns
• Correlate worker process crashes or restarts with preceding HTTP request payloads to identify trigger conditions

Monitoring Recommendations

• Enable verbose logging on SGLang inference endpoints to capture full request parameters during the triage window
• Track error rate metrics on the LoRA loading code path and alert on sustained increases
• Apply rate limiting and input length restrictions at the reverse proxy or API gateway layer to surface abuse patterns

How to Mitigate CVE-2026-10300

Immediate Actions Required

• Restrict network exposure of SGLang inference endpoints to trusted clients using firewall rules or VPN access controls
• Place an API gateway in front of the inference endpoint to validate lora_path parameter format before requests reach SGLang
• Monitor the upstream GitHub Pull Request #25078 for merge status and apply the patch immediately once released

Patch Information

As of the CVE publication date, the pull request to fix this issue is awaiting acceptance by the SGLang maintainers. Track the fix progress through the official pull request and the VulDB advisory for CVE-2026-10300. Operators running SGLang 0.5.10.post1 should plan to upgrade to the next release containing the merged fix.

Workarounds

• Implement strict input validation on the lora_path parameter at the application gateway, allowing only known adapter identifiers from an allowlist
• Disable the LoRA loading endpoint entirely if dynamic adapter loading is not required in the deployment
• Deploy SGLang behind an authenticating reverse proxy to prevent unauthenticated requests from reaching the vulnerable code path
• Configure process supervisors to automatically restart SGLang workers on assertion failures to preserve service continuity

# Example: restrict lora_path values using an nginx allowlist before reaching SGLang
location /v1/ {
    if ($arg_lora_path !~ "^[a-zA-Z0-9_-]{1,64}$") {
        return 400 "Invalid lora_path";
    }
    proxy_pass http://sglang_backend;
}