CVE-2026-5001
Unrestricted File Upload in PromtEngineer localGPT do_POST Function
Publication date: 2026-03-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| promtengineer | localgpt | to 4d41c7d1713b16b216d8e062e51a5dd88b20b054 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5001 is an unrestricted file upload vulnerability in the localGPT product by PromtEngineer. It exists in the do_POST function of the backend/server.py file, allowing any user to upload files without authentication or validation.
The vulnerability allows attackers to upload files of any type and size via HTTP POST requests to specific upload endpoints. There are no checks on file extensions, content types, or file sizes, and filenames are not sanitized.
Although uploaded files are not executable by the server and cannot be accessed via HTTP, the lack of restrictions can lead to resource exhaustion by filling up disk space.
How can this vulnerability impact me? :
The primary impact of this vulnerability is Denial of Service (DoS) caused by disk space exhaustion.
- Attackers can upload large files repeatedly without authentication, consuming all available disk space.
- This resource exhaustion can degrade service quality, preventing legitimate users from uploading files.
- It can also cause failures in indexing and database operations, potentially crashing the server with 'No space left on device' errors.
There is no remote code execution or confidentiality breach associated with this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized HTTP POST requests to endpoints matching the pattern /sessions/{session_id}/upload, which allow file uploads without authentication.
You can check for large or unusual file uploads in the shared uploads directory where files are saved with UUID-prefixed names.
Suggested commands include:
- Use network monitoring tools (e.g., tcpdump or Wireshark) to capture POST requests to /sessions/*/upload endpoints.
- On the server, list recently uploaded files with timestamps and sizes, for example: `ls -lh /path/to/SHARED_UPLOADS_DIR`.
- Check disk usage to detect rapid exhaustion: `df -h` and `du -sh /path/to/SHARED_UPLOADS_DIR`.
- Search server logs for unauthenticated POST requests to upload endpoints: `grep 'POST /sessions/' /var/log/server.log`.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing authentication to require valid authorization tokens before accepting any file uploads.
Restrict file uploads to a whitelist of safe file extensions such as .pdf, .docx, .txt, .md, .csv, and .json.
Enforce file size limits per upload (e.g., maximum 50MB) and total storage quotas per session (e.g., 500MB) to prevent disk space exhaustion.
Apply rate limiting to restrict the number of uploads per session per time interval (e.g., 10 uploads per minute).
Sanitize filenames to remove path traversal characters and special symbols to reduce potential path traversal risks.
Monitor disk usage and enforce storage quotas to prevent denial of service caused by disk space exhaustion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.