Public story · 2026-03-17 · source-backed
Critical Unpatched CVSS 9.8 RCEs in SGLang + Amazon Bedrock AgentCore DNS Exfiltration
Story
Two critical disclosures today that share a disturbing ancestry. CVE-2026-3059 and CVE-2026-3060 are both CVSS 9.8 remote code execution vulnerabilities in SGLang — the popular LLM inference framework — via unsafe pickle deserialization in the ZeroMQ broker and disaggregation module. Zero authentication required. Any SGLang deployment exposing multimodal or disaggregation features is fully exploitable right now.
Separately, BeyondTrust revealed that Amazon Bedrock AgentCore's Code Interpreter sandbox permits outbound DNS queries, enabling attackers to establish interactive shells and exfiltrate data from inside agent code execution environments. The sandbox was supposed to be the security boundary. DNS was the escape hatch.
The SGLang vulns are the third instance of the ShadowMQ pattern — unsafe ZeroMQ + pickle combinations copied across the AI inference stack. Meta's vLLM had CVE-2025-30165. NVIDIA TensorRT-LLM had CVE-2025-23254. The same anti-pattern keeps replicating because inference framework developers treat internal IPC as trusted — then deploy it on networks where it isn't.
If you're running SGLang: disable multimodal and disaggregation features until patches land, or firewall the ZeroMQ ports. If you're running Bedrock AgentCore: assume the sandbox is not a security boundary and treat agent-generated code as untrusted even after execution. The DNS exfiltration vector means any data accessible inside the sandbox can leave via DNS resolution — a channel most network monitoring ignores entirely. Source
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / What happened next
AWS Bedrock AgentCore Sandbox Bypassed via DNS — BeyondTrust Discloses Full C2 Channel, AWS Declines to Patch
Both cover Bedrock AgentCore, Code Interpreter, DNS; overlapping topics (agentcore, bedrock, code, data, execution); picks up the Bedrock AgentCore thread on 2026-03-19.
DNS Egress Filtering for Agent Sandboxes — Block the Exfiltration Channel.
Both cover Bedrock AgentCore, BeyondTrust, DNS; overlapping topics (agentcore, bedrock, execution, exfiltration, sandbox); picks up the Bedrock AgentCore thread on 2026-03-19.
Shared entities / Same source domain / Shared topic / Earlier coverage
n8n CVE Firehose: 8 Critical Vulnerabilities in February
Both cover CVE, CVSS; reported by the same outlet (thehackernews.com); overlapping topics (code, critical, cvss, execution).
Shared entities / Same source domain / What happened next
The MCP supply chain has a hole in the floor, and it's being exploited right now
Both cover CVE, CVSS, LLM; reported by the same outlet (thehackernews.com); picks up the CVE thread on 2026-06-17.
cPanel Zero-Day Weaponized Within 24 Hours. 44,000 Servers Compromised, 'Sorry' Ransomware Deployed.
Both cover CVE, CVSS, Zero; reported by the same outlet (thehackernews.com); picks up the CVE thread on 2026-05-10.
Shared entities / Same source domain / Shared topic / What happened next
n8n Has Four Critical CVEs, CISA Deadline Is Today, and 71,537 Instances Are Exposed
Both cover CVE, CVSS; reported by the same outlet (thehackernews.com); overlapping topics (code, cvss).
Shared entities / Same source domain / Shared topic / Earlier coverage
XBOW Autonomous Pentesting Agent Discovers CVSS 9.8 RCE at Microsoft.
Both cover CVE, CVSS; reported by the same outlet (thehackernews.com); overlapping topics (critical, cvss).
n8n Has 8 Critical CVEs This Month, Including Unauthenticated RCE (CVSS 10.0).
Both cover CVE, CVSS; reported by the same outlet (thehackernews.com); overlapping topics (critical, cvss).
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — 2026-03-17
- AI generated
- no
- Story unit
- 2026-03-17-critical-unpatched-cvss-9-8-rces-in-sglang-amazon-bedrock-agentcore-dns-exfiltration
- Labels
- source-backed, canonical briefing excerpt