Cyber Resilience

CVE-2026-3989

High

Published: 12 March 2026

Published
12 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3989 is a high-severity an unspecified weakness vulnerability in Orca (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3989 is a high-severity vulnerability (CVSS 7.8) in the SGLang framework, specifically affecting the `replay_request_dump.py` script located in the `scripts/playground` directory. The issue stems from an insecure use of `pickle.load()` without proper validation or safe deserialization, allowing arbitrary code execution when processing untrusted pickle files (.pkl). Published on March 12, 2026, this flaw impacts users running the affected script in SGLang, an open-source framework for serving large language models.

An attacker can exploit this vulnerability locally by providing a malicious .pkl file to a victim. Exploitation requires low complexity and user interaction, as the victim must execute the `replay_request_dump.py` script on the crafted file (AV:L/AC:L/PR:N/UI:R). Successful exploitation grants the attacker remote code execution (RCE) on the host device, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to full system compromise.

Mitigation is available through the SGLang project's patch in pull request #20904 and the release of version v0.5.10, which addresses the insecure deserialization. Security advisories, including analysis from Orca Security, highlight this as one of multiple RCE vulnerabilities in the SGLang LLM framework and recommend updating to the patched version while avoiding untrusted .pkl files.

SGLang's role in deploying large language models makes this vulnerability particularly relevant to AI/ML infrastructure, where replay scripts may be used in development or debugging workflows. No public evidence of real-world exploitation has been reported as of the CVE publication.

EU & UK References

Vulnerability details

SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Insecure pickle.load() deserialization in the local replay script enables arbitrary Python code execution upon processing a malicious .pkl file supplied by an attacker, directly mapping to user-assisted malicious file execution and Python-based command/script execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

Orca
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of flaws like the insecure pickle.load() in SGLang's replay_request_dump.py, directly enabling patching to v0.5.10.

prevent

Requires validation of information inputs such as untrusted .pkl files before deserialization to prevent arbitrary code execution.

preventdetect

Deploys mechanisms to monitor for and eradicate malicious code executed via unsafe deserialization of .pkl files.

References