CVE-2026-3989
Published: 12 March 2026
Summary
CVE-2026-3989 is a high-severity an unspecified weakness vulnerability in Orca (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3989 is a high-severity vulnerability (CVSS 7.8) in the SGLang framework, specifically affecting the `replay_request_dump.py` script located in the `scripts/playground` directory. The issue stems from an insecure use of `pickle.load()` without proper validation or safe deserialization, allowing arbitrary code execution when processing untrusted pickle files (.pkl). Published on March 12, 2026, this flaw impacts users running the affected script in SGLang, an open-source framework for serving large language models.
An attacker can exploit this vulnerability locally by providing a malicious .pkl file to a victim. Exploitation requires low complexity and user interaction, as the victim must execute the `replay_request_dump.py` script on the crafted file (AV:L/AC:L/PR:N/UI:R). Successful exploitation grants the attacker remote code execution (RCE) on the host device, with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to full system compromise.
Mitigation is available through the SGLang project's patch in pull request #20904 and the release of version v0.5.10, which addresses the insecure deserialization. Security advisories, including analysis from Orca Security, highlight this as one of multiple RCE vulnerabilities in the SGLang LLM framework and recommend updating to the patched version while avoiding untrusted .pkl files.
SGLang's role in deploying large language models makes this vulnerability particularly relevant to AI/ML infrastructure, where replay scripts may be used in development or debugging workflows. No public evidence of real-world exploitation has been reported as of the CVE publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11561
Vulnerability details
SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure pickle.load() deserialization in the local replay script enables arbitrary Python code execution upon processing a malicious .pkl file supplied by an attacker, directly mapping to user-assisted malicious file execution and Python-based command/script execution.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and correction of flaws like the insecure pickle.load() in SGLang's replay_request_dump.py, directly enabling patching to v0.5.10.
Requires validation of information inputs such as untrusted .pkl files before deserialization to prevent arbitrary code execution.
Deploys mechanisms to monitor for and eradicate malicious code executed via unsafe deserialization of .pkl files.