CVE-2026-5000
Received Received - Intake
Authentication Bypass in PromtEngineer localGPT API Endpoint

Publication date: 2026-03-28

Last updated on: 2026-03-28

Assigner: VulDB

Description
A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing authentication. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-28
Last Modified
2026-03-28
Generated
2026-05-06
AI Q&A
2026-03-28
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5000
EUVD
EUVD-2026-16929
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
promtengineer localgpt to 4d41c7d1713b16b216d8e062e51a5dd88b20b054 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-5000 is a critical security vulnerability in the localGPT product by PromtEngineer that affects all API endpoints due to a complete lack of authentication and authorization mechanisms.

The vulnerability exists because the backend API, specifically in the file backend/server.py, does not perform any authentication or authorization checks on HTTP methods such as GET, POST, and DELETE. This means any attacker can remotely access and manipulate sessions and messages without needing credentials.

  • Unauthenticated attackers can list all sessions, retrieve messages, create new sessions and messages, and delete any session.
  • Sessions are identified by UUIDs that can be enumerated or brute-forced, facilitating unauthorized access.
  • The server's CORS policy is misconfigured to allow all origins, methods, and headers, increasing the risk of cross-origin attacks.

How can this vulnerability impact me? :

This vulnerability can have severe impacts including complete data disclosure, full data modification, and deletion capabilities by attackers.

  • Attackers can steal sensitive data such as database credentials, API keys, customer personally identifiable information (PII), and proprietary business information.
  • Attackers can delete sessions causing data loss and disrupt availability.
  • The vulnerability allows lateral movement by attackers using stolen credentials and API keys to compromise further network and cloud resources.
  • There is a risk of regulatory fines, legal fees, forensic costs, reputation damage, economic losses, and potential criminal liability.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability causes violations of multiple compliance standards and regulations including GDPR, CCPA, PCI DSS, HIPAA, and SOC 2.

Because it allows unauthorized access to sensitive personal and business data, it exposes organizations to regulatory fines that can reach up to €20 million, legal consequences, and increased forensic and remediation costs.

Failure to secure authentication and authorization mechanisms as required by these standards can lead to non-compliance and significant penalties.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting unauthenticated HTTP requests to the API endpoints of the localGPT product, specifically targeting session management endpoints such as /sessions and /sessions/{id}.

For example, using curl commands to check if authentication is missing and unauthorized access is possible:

  • List all sessions without authentication: curl -X GET http://<target>/sessions
  • Retrieve messages of a specific session without authentication: curl -X GET http://<target>/sessions/<session_id>
  • Attempt to create a new session without authentication: curl -X POST http://<target>/sessions -d '{}'
  • Attempt to delete a session without authentication: curl -X DELETE http://<target>/sessions/<session_id>

If these commands succeed without requiring authentication, it indicates the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing strong authentication and authorization mechanisms on all API endpoints.

  • Implement JWT-based authentication with token expiration and secret keys.
  • Add middleware or decorators to enforce authentication checks on all HTTP methods (GET, POST, DELETE).
  • Add authorization checks to verify session ownership before allowing access or modification.
  • Restrict session listing and message access to only the authenticated user's own sessions.
  • Secure database queries to include user ownership verification.
  • Fix CORS policy by restricting allowed origins, methods, and headers to trusted domains.

This vulnerability is critical and marked as P0 priority, requiring deployment of fixes within 24 hours to prevent trivial exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart