CVE-2026-7669: SGLang has an Improper Input Validation/Injection Issue

May 3, 2026 (updated May 7, 2026)

A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/advisories/GHSA-6m5f-673f-5vh7
github.com/gouldnicholas/CVE-2026-7669-PoC
github.com/sgl-project/sglang
nvd.nist.gov/vuln/detail/CVE-2026-7669
vuldb.com/submit/799263
vuldb.com/vuln/360817
vuldb.com/vuln/360817/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-7669 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →