Skip to main content

Localgpt CVE-2026-5000

| EUVD-2026-16929 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-03-28 VulDB GHSA-wwwf-53m5-vmfq
Authentication Bypass Localgpt
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 28, 2026 - 15:15 euvd
EUVD-2026-16929
Analysis Generated
Mar 28, 2026 - 15:15 vuln.today
CVE Published
Mar 28, 2026 - 15:00 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing authentication. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authentication bypass in PromtEngineer localGPT affects the LocalGPTHandler API endpoint in backend/server.py, allowing unauthenticated remote attackers to access protected functionality with low confidentiality, integrity, and availability impact. The vulnerability stems from improper validation of the BaseHTTPRequestHandler argument, enabling attackers to manipulate request handling without credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment While the CVSS 4.0 score of 6.9 indicates a medium-severity vulnerability with low confidentiality, integrity, and availability impact, the overall real-world risk must be contextualized. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network or with network access to the localGPT API endpoint (typically running on localhost:port) sends an HTTP request directly to the LocalGPTHandler API endpoint without providing any authentication credentials. Due to missing credential validation in the BaseHTTPRequestHandler argument processing, the handler accepts the request and processes it, potentially allowing the attacker to query the underlying language model, retrieve configuration details, or trigger other backend operations that should have been protected. …
Remediation Users should immediately update to a commit version more recent than 4d41c7d1713b16b216d8e062e51a5dd88b20b054 by pulling the latest upstream code from the PromtEngineer repository on GitHub. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems running PromtEngineer localGPT and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5000 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy