CVE-2026-7302: SGLang's multimodal generation runtime has an unauthenticated path traversal vulnerability

May 18, 2026 (updated May 29, 2026)

SGLang’s multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.

References

antiproof.ai/blog/three-rces-in-sglang
github.com/advisories/GHSA-qwrp-wghp-94q2
github.com/sgl-project/sglang/tree/main/python/sglang
nvd.nist.gov/vuln/detail/CVE-2026-7302

Code Behaviors & Features

Detect and mitigate CVE-2026-7302 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →