CVE-2026-7302 Overview
CVE-2026-7302 is a critical unauthenticated path traversal vulnerability in the SGLang multimodal generation runtime from lmsys. Attackers can write arbitrary files to any location where the server process has write access. Exploitation requires only including ../ sequences in the upload filename when sending requests to specific endpoints. The flaw affects lmsys:sglang version 0.5.10 and maps to CWE-35: Path Traversal: '.../...//'. Because SGLang is widely deployed as a large language model (LLM) inference server, arbitrary file writes can lead to remote code execution by overwriting Python modules, configuration files, or SSH authorized keys.
Critical Impact
Unauthenticated attackers can write arbitrary files on the host, enabling remote code execution and full compromise of the SGLang inference server.
Affected Products
- lmsys:sglang version 0.5.10
- SGLang multimodal generation runtime endpoints accepting file uploads
- Deployments exposing SGLang HTTP API to untrusted networks
Discovery Timeline
- 2026-05-18 - CVE-2026-7302 published to the National Vulnerability Database (NVD)
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-7302
Vulnerability Analysis
The SGLang multimodal runtime exposes HTTP endpoints that accept uploaded files for image, audio, or video processing. The endpoints derive the destination path on disk from the client-supplied filename without canonicalizing or validating the resulting path. An attacker submitting an upload with a filename such as ../../../../etc/cron.d/payload causes the server to write attacker-controlled bytes outside of the intended upload directory.
The issue is reachable without authentication because the runtime endpoints do not enforce identity or session checks by default. Combined with the network attack vector and low complexity, any reachable SGLang instance is exposed. While the CVSS vector indicates no direct confidentiality impact, arbitrary file writes typically translate to code execution by overwriting Python source files imported by the running process or by placing cron jobs and SSH keys.
Root Cause
The runtime concatenates the user-supplied filename field with a base upload directory and writes the file contents without rejecting ../ segments or resolving the final path against an allow-listed base directory. This is a classic relative path traversal weakness ([CWE-35]). See the AntiProof Blog on RCEs and the GitHub SGLang Repository for the affected source modules.
Attack Vector
Exploitation is performed over the network against any reachable SGLang HTTP endpoint that accepts multimodal uploads. The attacker sends a crafted multipart request whose filename field contains traversal sequences pointing at a sensitive write target. The server writes attacker bytes to that path with the privileges of the SGLang process. From there, attackers commonly stage code execution by overwriting an imported Python file, dropping a ~/.ssh/authorized_keys entry, or writing a cron job. No code example is published in the verified references.
Detection Methods for CVE-2026-7302
Indicators of Compromise
- HTTP upload requests to SGLang endpoints containing ../ or URL-encoded %2e%2e%2f sequences in the filename parameter
- Unexpected file creation outside the configured SGLang upload or cache directory
- New or modified Python source files inside the sglang package directory at runtime
- New entries in authorized_keys, cron.d, or systemd unit directories on hosts running SGLang
Detection Strategies
- Inspect web access and application logs for upload requests whose filenames contain traversal sequences or absolute paths
- Monitor the SGLang process for file writes to paths outside its designated working directory using file integrity monitoring or auditd
- Alert on Python interpreter writes to its own site-packages or source tree during request handling
Monitoring Recommendations
- Enable verbose request logging on the SGLang reverse proxy and forward logs to a centralized analytics platform
- Baseline normal upload destinations and alert on deviations from that baseline
- Track outbound connections from the SGLang host to detect post-exploitation command-and-control activity
How to Mitigate CVE-2026-7302
Immediate Actions Required
- Restrict network access to SGLang inference endpoints so they are reachable only from trusted internal clients
- Run the SGLang server as a non-privileged user with write access limited to a dedicated upload directory
- Place SGLang behind a reverse proxy that strips or rejects filenames containing ../, ..\, or encoded traversal sequences
- Audit the host for unexpected files created since the SGLang service was first exposed
Patch Information
No fixed version is listed in the NVD entry at the time of publication. Monitor the GitHub SGLang Repository for an upstream patch and upgrade past 0.5.10 once a fixed release is published. Until then, apply the workarounds below.
Workarounds
- Deploy a WAF or reverse proxy rule that drops multipart requests whose filename field contains .., leading slashes, or null bytes
- Run SGLang inside a read-only container with only the upload directory mounted writable, preventing writes to package code or system paths
- Disable or firewall the multimodal upload endpoints if the deployment only requires text generation
- Enforce mandatory access control such as SELinux or AppArmor profiles that confine the SGLang process to its working directory
# Example nginx rule rejecting traversal sequences in upload filenames
location /generate {
if ($request_body ~* "filename=\"[^\"]*\.\.[\\/]") {
return 400;
}
client_max_body_size 32m;
proxy_pass http://sglang_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
