Unauthenticated Path Traversal in SGLangs Multimodal Generation Runtime
CVE-2026-7302

9.1CRITICAL

Key Information:

Vendor: Sglang
Status: Sglang
Vendor: CVE Published:; 18 May 2026

What is CVE-2026-7302?

The SGLangs multimodal generation runtime has a vulnerability that enables unauthenticated users to perform a path traversal attack. This flaw allows an attacker to manipulate file upload paths using '../' sequences, granting them the ability to write arbitrary files in server directories where the process has write permissions. The vulnerability can be exploited when specific endpoints are targeted, posing significant risks to the integrity of the server and the data it handles.

Affected Version(s)

SGLang 5.10

References

https://github.com/sgl-project/sglang/tree/main/python/sg...

https://antiproof.ai/blog/three-rces-in-sglang/

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 18, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-7302 Data

JSON

Sglang

What is CVE-2026-7302?

Affected Version(s)

References

CVSS V3.1

Timeline