Backdoored Brains: SGLang Flaw Lets Hackers Hijack AI Servers with Malicious Model Files

In the high-stakes world of artificial intelligence, where open-source innovation races ahead of security controls, a new threat has emerged that could turn trusted language models into covert attack vectors. This week, security researchers sounded the alarm over a severe flaw in SGLang - a widely used framework for serving large language models - after discovering that simply downloading the wrong model could hand hackers the keys to any server running the software.

How a Model File Becomes a Weapon

The vulnerability, cataloged as CVE-2026-5760 with a near-maximum CVSS score of 9.8, targets SGLang’s /v1/rerank endpoint. Attackers can create GPT-Generated Unified Format (GGUF) model files embedded with a booby-trapped tokenizer.chat_template parameter. This parameter contains a malicious server-side template injection (SSTI) payload designed to exploit SGLang’s use of the jinja2.Environment() template engine - without any security sandboxing.

Here’s how the attack unfolds: A victim, perhaps seeking the latest language model on Hugging Face, downloads and loads a malicious GGUF file into SGLang. When the system receives a reranking request, SGLang dutifully renders the template - unknowingly executing the attacker’s Python code on the server. This gives the attacker full remote code execution (RCE) privileges, potentially compromising data, exfiltrating secrets, or using the infrastructure for further attacks.

Security researcher Stuart Beck, who uncovered the flaw, traced the root cause to SGLang’s failure to use ImmutableSandboxedEnvironment - a secure Jinja2 mode that would have blocked arbitrary code execution. Instead, the system trusted the contents of model files, a risky assumption in today’s supply chain threat landscape.

Déjà Vu for AI Supply Chains

This isn’t the first time a model-serving framework has been caught off-guard. The “Llama Drama” vulnerability (CVE-2024-34359) hit the llama_cpp_python package earlier this year, and a similar issue was patched in vLLM (CVE-2025-61620). But SGLang, with over 26,000 GitHub stars and deployments across research, industry, and startups, represents a particularly juicy target.

Despite the severity and clear instructions from CERT/CC on how to fix the flaw, SGLang’s maintainers have yet to respond or release a patch. In the meantime, AI operators are urged to avoid untrusted models and consider sandboxing or network isolation until a permanent solution arrives.

A Cautionary Tale for AI’s Future

The SGLang incident is a stark reminder that as AI becomes more modular and collaborative, the lines between code and data are blurring - and so are the attack surfaces. In the race to build smarter machines, security can’t be left behind. If the AI community doesn’t learn from these wake-up calls, the next backdoored brain could be lurking just a download away.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• GGUF Model File: A GGUF model file is a binary format for storing and sharing large AI language models, enabling efficient deployment and interoperability across platforms.
• Server: A server is a computer or software that provides data, resources, or services to other computers, called clients, over a network.
• Jinja2: Jinja2 is a Python templating engine for generating dynamic content, but insecure use can expose web applications to serious security vulnerabilities.
• Sandboxing: Sandboxing is a method of testing suspicious files or links in a secure, isolated environment to detect threats without endangering actual systems.