CVE-2026-10300: SGLang Inference Endpoint Assertion Failure Vulnerability (CWE-617)
SGLang version 0.5.10.post1 contains a vulnerability in its inference HTTP endpoint that can be triggered by manipulating the lora_path argument. When an attacker provides a specially crafted lora_path value, the system reaches an assertion condition that causes the service to become unavailable. This is a remote vulnerability requiring network access, though the attack is complex to execute and not trivial to exploit in practice.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.7 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-617
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A security vulnerability has been detected in SGLang 0.5.10.post1. Impacted is an unknown function of the file python/sglang/srt/lora/lora_manager.py of the component Inference HTTP Endpoint. Such manipulation of the argument lora_path leads to reachable assertion. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in python/sglang/srt/lora/lora_manager.py within SGLang's inference HTTP endpoint handler. The flaw is classified as CWE-617 (Reachable Assertion), meaning the code performs an assertion check on user-controlled input without proper validation. When the lora_path parameter is manipulated with malformed or unexpected values, the assertion fails, triggering an exception that disrupts service availability. The attack vector is network-based (AV:N), requires high attack complexity (AC:H), and occurs in the application's validation layer before LoRA model loading.
Business impact
This vulnerability creates a denial-of-service risk for deployments relying on SGLang's inference endpoint for language model inference tasks. An attacker can remotely crash the inference service by sending requests with malicious lora_path arguments, causing service interruption and requiring manual restart. The impact is limited to availability; there is no data leakage or system compromise. For production inference workloads, this represents an operational disruption rather than a critical security breach, but availability of AI services may be business-critical in some contexts.
Affected systems
SGLang version 0.5.10.post1 is explicitly affected. The vulnerability affects the inference HTTP endpoint component, so any deployment exposing this endpoint over a network is at risk. Organizations using SGLang for model serving should assess whether they are running the affected version. Verify your exact version against the vendor release history and advisory documentation.
Exploitability
Exploitation requires high attack complexity (AC:H), indicating the attacker must overcome non-trivial obstacles such as specific input formatting or timing constraints. While a proof-of-concept has been publicly disclosed, successful exploitation still demands understanding of the LoRA parameter format and HTTP interface details. The vulnerability is not exploitable via simple, generic attack methods; a motivated attacker would need to craft specific payloads. This complexity naturally limits widespread exploitation risk.
Remediation
The development team has issued a pull request to fix this assertion handling in the LoRA manager component. Remediation awaits pull request acceptance and release in a subsequent SGLang version. Until an official patch is available, options include: (1) upgrading to a patched release once available; (2) restricting network access to the inference endpoint using firewall rules or network segmentation; (3) implementing input validation at the reverse proxy level to sanitize lora_path arguments; (4) temporarily disabling LoRA functionality if not required for your use case.
Patch guidance
Monitor SGLang's GitHub repository and release notes for version updates following the pull request merge. When a patched version is released, test it in a staging environment before production deployment to ensure compatibility with your model serving configuration. Verify the fix is included in release notes or commits addressing CWE-617 in lora_manager.py. Apply the patch as part of your regular dependency update cycle, prioritizing this after addressing any higher-severity issues in your infrastructure.
Detection guidance
Monitor your SGLang inference endpoint for HTTP 5xx errors or service crashes coinciding with unusual lora_path parameter values in request logs. Look for assertion errors or stack traces referencing lora_manager.py in application logs. Implement alerting for unexpected endpoint restarts or availability drops. If you have network traffic inspection capability, examine requests to the endpoint for malformed or overly long lora_path arguments. Log aggregation tools can help correlate crash events with specific request patterns.
Why prioritize this
Despite the low CVSS score (3.7), this vulnerability warrants prompt but not emergency attention. The limited attack complexity and public proof-of-concept disclosure mean a motivated attacker can weaponize this, but the impact is limited to service availability with no data breach risk. Prioritize patching based on whether your SGLang deployment is internet-facing, business-critical, and exposed to untrusted users. Internal-only or non-critical inference deployments are lower priority.
Risk score, explained
The CVSS 3.1 score of 3.7 (LOW severity) reflects low business impact—availability impact only (A:L) with no confidentiality or integrity compromise (C:N, I:N). The network attack vector and lack of privilege requirements would normally elevate concern, but high attack complexity (AC:H) significantly reduces exploitability likelihood. The score appropriately captures a remote DoS with non-trivial exploitation barriers. Organizations should consider business context: a non-critical batch inference system poses less risk than a real-time production inference API.
Frequently asked questions
Does this vulnerability require authentication to exploit?
No. The endpoint accepts unauthenticated requests (PR:N), so any network-accessible instance is potentially vulnerable. However, the high attack complexity means casual or script-based exploitation attempts are unlikely to succeed.
Can this vulnerability compromise our model weights or data?
No. This is a denial-of-service vulnerability affecting availability only. The assertion failure prevents model inference from completing, but does not expose model parameters, training data, or user inputs to an attacker.
Which SGLang versions are affected?
Version 0.5.10.post1 is explicitly confirmed as vulnerable. Check your deployed version using `pip show sglang` or `python -c "import sglang; print(sglang.__version__)"`. Earlier or later versions may also be affected; consult vendor advisories for the full range.
Is there a workaround if we cannot patch immediately?
Yes. Restrict network access to the inference endpoint to trusted clients only using firewall rules or network policies. Alternatively, disable LoRA support in your SGLang configuration if LoRA functionality is not required for your workload.
This analysis is provided for informational purposes and represents publicly available information as of the publication date. Verify all technical details, affected versions, and patch availability directly against SGLang's official repository and security advisories before implementing any remediation. The presence of a public proof-of-concept does not guarantee reliable exploitability in all environments. Organizations should conduct their own risk assessment based on deployment architecture, network exposure, and business criticality. SEC.co makes no warranties regarding the accuracy or completeness of this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-37220HIGHFlexRIC v2.0.0 Denial of Service via SCTP Assertion Failure
- CVE-2026-37221HIGHFlexRIC v2.0.0 Unauthenticated Denial-of-Service via RIC Message Crash
- CVE-2026-37222HIGHFlexRIC E2AP Denial-of-Service Vulnerability – Analysis & Remediation
- CVE-2026-37223HIGHFlexRIC E2AP Dispatcher Assertion DoS – High-Severity O-RAN Vulnerability
- CVE-2026-37224HIGHFlexRIC v2.0.0 Denial of Service Vulnerability (CVE-2026-37224) — E2_SETUP_REQUEST Crash
- CVE-2026-37225HIGHFlexRIC v2.0.0 Remote Denial of Service
- CVE-2026-37227HIGHFlexRIC v2.0.0 Near-RT RIC Denial of Service (CWE-617)
- CVE-2026-37228HIGHFlexRIC v2.0.0 Remote Denial-of-Service via SCTP Buffer Overflow