AI Threat Alert AI Threat Alert

CVE-2026-7669

MEDIUM
Published May 2, 2026

A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A...

Full CISO analysis pending enrichment.

Severity & Risk

CVSS 3.1
5.6 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C Low
I Low
A Low

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-7669?

A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Is CVE-2026-7669 actively exploited?

No confirmed active exploitation of CVE-2026-7669 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7669?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-7669?

CVE-2026-7669 has a CVSS v3.1 base score of 5.6 (MEDIUM).

Technical Details

NVD Description

A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Weaknesses (CWE)

CWE-20 Primary CWE-502 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References

Timeline

Published
May 2, 2026
Last Modified
May 2, 2026
First Seen
May 2, 2026
Back to Threat Feed