CVE-2026-5001
Received Received - Intake
Unrestricted File Upload in PromtEngineer localGPT do_POST Function

Publication date: 2026-03-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The affected element is the function do_POST of the file backend/server.py. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5001
EUVD
EUVD-2026-16932
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
promtengineer localgpt to 4d41c7d1713b16b216d8e062e51a5dd88b20b054 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5001 is an unrestricted file upload vulnerability in the localGPT product by PromtEngineer. It exists in the do_POST function of the backend/server.py file, allowing any user to upload files without authentication or validation.

The vulnerability allows attackers to upload files of any type and size via HTTP POST requests to specific upload endpoints. There are no checks on file extensions, content types, or file sizes, and filenames are not sanitized.

Although uploaded files are not executable by the server and cannot be accessed via HTTP, the lack of restrictions can lead to resource exhaustion by filling up disk space.

Impact Analysis

The primary impact of this vulnerability is Denial of Service (DoS) caused by disk space exhaustion.

  • Attackers can upload large files repeatedly without authentication, consuming all available disk space.
  • This resource exhaustion can degrade service quality, preventing legitimate users from uploading files.
  • It can also cause failures in indexing and database operations, potentially crashing the server with 'No space left on device' errors.

There is no remote code execution or confidentiality breach associated with this vulnerability.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized HTTP POST requests to endpoints matching the pattern /sessions/{session_id}/upload, which allow file uploads without authentication.

You can check for large or unusual file uploads in the shared uploads directory where files are saved with UUID-prefixed names.

Suggested commands include:

  • Use network monitoring tools (e.g., tcpdump or Wireshark) to capture POST requests to /sessions/*/upload endpoints.
  • On the server, list recently uploaded files with timestamps and sizes, for example: `ls -lh /path/to/SHARED_UPLOADS_DIR`.
  • Check disk usage to detect rapid exhaustion: `df -h` and `du -sh /path/to/SHARED_UPLOADS_DIR`.
  • Search server logs for unauthenticated POST requests to upload endpoints: `grep 'POST /sessions/' /var/log/server.log`.
Mitigation Strategies

Immediate mitigation steps include implementing authentication to require valid authorization tokens before accepting any file uploads.

Restrict file uploads to a whitelist of safe file extensions such as .pdf, .docx, .txt, .md, .csv, and .json.

Enforce file size limits per upload (e.g., maximum 50MB) and total storage quotas per session (e.g., 500MB) to prevent disk space exhaustion.

Apply rate limiting to restrict the number of uploads per session per time interval (e.g., 10 uploads per minute).

Sanitize filenames to remove path traversal characters and special symbols to reduce potential path traversal risks.

Monitor disk usage and enforce storage quotas to prevent denial of service caused by disk space exhaustion.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5001. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart