Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote, low-complexity, unauthenticated SSRF; scope changes as the server pivots to internal systems (S:C) with high confidentiality via leaked responses, and no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper validation, enabling attackers to force the server to issue HTTP GET requests to private and loopback ranges with partial response content leaked through error messages.
AnalysisAI
Server-side request forgery in LocalAI's POST /models/apply endpoint lets unauthenticated remote attackers coerce the server into issuing HTTP GET requests to arbitrary internal, private, and loopback addresses, with partial response bodies disclosed back through error messages. The flaw stems from passing attacker-controlled gallery URL fields into gallery.GetGalleryConfigFromURLWithContext without validation, giving attackers a network pivot from the internet into otherwise unreachable back-end services. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The prerequisite is network reachability to LocalAI's HTTP API with the model gallery/apply functionality accessible - specifically the POST /models/apply endpoint accepting a caller-supplied gallery URL field, which is passed to gallery.GetGalleryConfigFromURLWithContext without validation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to genuine priority: the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) describes remote, low-complexity, unauthenticated exploitation with high confidentiality impact to both the vulnerable system (VC:H) and a subsequent system (SC:H), reflecting the internal-network reach an SSRF grants. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an internet-exposed LocalAI instance sends a single crafted POST /models/apply request whose gallery URL points at http://169.254.169.254/ or an internal admin service. The server fetches the URL on the attacker's behalf and returns partial response content inside its error message, letting the attacker enumerate internal hosts and harvest data such as cloud metadata credentials. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the vendor fix in commit https://github.com/mudler/LocalAI/commit/f9b968e19d7cbc556d59dceb2e0e450b828a3fda by upgrading to a LocalAI build that includes it, then confirm the exact tagged release via the VulnCheck advisory (https://www.vulncheck.com/advisories/localai-server-side-request-forgery-via-post-models-apply) and issue #10665. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all LocalAI instances and their network exposure; apply immediate network segmentation if patching cannot begin immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction.
A command injection vulnerability exists in the mudler/localai version 2.14.0. Rated critical severity (CVSS 9.8), this
A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioTo
A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the `model` parame
mudler/localai version 2.17.1 is vulnerable to remote code execution. Rated high severity (CVSS 8.8), this vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft
localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is re
mudler/localai version 2.17.1 is vulnerable to a Timing Attack. Rated medium severity (CVSS 5.9), this vulnerability is
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (
A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which al
mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. Rated me
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42097
GHSA-8c5q-hx4g-qq23