Skip to main content

LocalAI CVE-2026-59707

| EUVDEUVD-2026-42097 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-07 VulnCheck GHSA-8c5q-hx4g-qq23
9.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Remote, low-complexity, unauthenticated SSRF; scope changes as the server pivots to internal systems (S:C) with high confidentiality via leaked responses, and no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 21:30 vuln.today

DescriptionCVE.org

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper validation, enabling attackers to force the server to issue HTTP GET requests to private and loopback ranges with partial response content leaked through error messages.

AnalysisAI

Server-side request forgery in LocalAI's POST /models/apply endpoint lets unauthenticated remote attackers coerce the server into issuing HTTP GET requests to arbitrary internal, private, and loopback addresses, with partial response bodies disclosed back through error messages. The flaw stems from passing attacker-controlled gallery URL fields into gallery.GetGalleryConfigFromURLWithContext without validation, giving attackers a network pivot from the internet into otherwise unreachable back-end services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed LocalAI API
Delivery
Send POST /models/apply with internal gallery URL
Exploit
Server fetches loopback/private target
Execution
Partial response leaked via error message
Impact
Enumerate internal services and exfiltrate data

Vulnerability AssessmentAI

Exploitation The prerequisite is network reachability to LocalAI's HTTP API with the model gallery/apply functionality accessible - specifically the POST /models/apply endpoint accepting a caller-supplied gallery URL field, which is passed to gallery.GetGalleryConfigFromURLWithContext without validation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and point to genuine priority: the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes remote, low-complexity, unauthenticated exploitation with high confidentiality impact to both the vulnerable system (VC:H) and a subsequent system (SC:H), reflecting the internal-network reach an SSRF grants. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an internet-exposed LocalAI instance sends a single crafted POST /models/apply request whose gallery URL points at http://169.254.169.254/ or an internal admin service. The server fetches the URL on the attacker's behalf and returns partial response content inside its error message, letting the attacker enumerate internal hosts and harvest data such as cloud metadata credentials. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the vendor fix in commit https://github.com/mudler/LocalAI/commit/f9b968e19d7cbc556d59dceb2e0e450b828a3fda by upgrading to a LocalAI build that includes it, then confirm the exact tagged release via the VulnCheck advisory (https://www.vulncheck.com/advisories/localai-server-side-request-forgery-via-post-models-apply) and issue #10665. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all LocalAI instances and their network exposure; apply immediate network segmentation if patching cannot begin immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-6868 CRITICAL POC
9.8 Oct 29

mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction.

CVE-2024-5181 CRITICAL POC
9.8 Jun 26

A command injection vulnerability exists in the mudler/localai version 2.14.0. Rated critical severity (CVSS 9.8), this

CVE-2024-2029 CRITICAL POC
9.8 Apr 10

A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioTo

CVE-2024-5182 CRITICAL POC
9.1 Jun 20

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parame

CVE-2024-6983 HIGH POC
8.8 Sep 27

mudler/localai version 2.17.1 is vulnerable to remote code execution. Rated high severity (CVSS 8.8), this vulnerability

CVE-2024-3135 MEDIUM POC
6.5 Apr 01

A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft

CVE-2024-48057 MEDIUM POC
6.1 Nov 04

localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is re

CVE-2024-7010 MEDIUM POC
5.9 Oct 29

mudler/localai version 2.17.1 is vulnerable to a Timing Attack. Rated medium severity (CVSS 5.9), this vulnerability is

CVE-2024-6095 MEDIUM POC
5.8 Jul 06

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (

CVE-2024-5616 MEDIUM POC
4.3 Jul 06

A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which al

CVE-2024-9900 MEDIUM POC
6.1 Mar 20

mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. Rated me

Share

CVE-2026-59707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy