CVE-2026-6588
Authentication Bypass in Serge-Chat Model API Enables Remote Exploit
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| serge-chat | serge | to 1.4TB (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the serge-chat serge software up to version 1.4TB, specifically in the download_model and delete_model functions of the Model API Endpoint component. An attacker can exploit this weakness remotely by manipulating these functions, which can lead to missing authentication controls.
Because authentication can be bypassed, unauthorized users might be able to perform actions that should require proper credentials.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthenticated access to the model management API endpoints under the path `/api/model/*` in the Serge chat application.
- Use an unauthenticated GET request to enumerate all models: `curl -X GET http://<target>/api/model/all`
- Attempt to trigger a model download without authentication: `curl -X POST http://<target>/api/model/{model_name}/download`
- Try to cancel a download without authentication: `curl -X POST http://<target>/api/model/{model_name}/download/cancel`
If these commands succeed without requiring authentication, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the model management API endpoints to prevent unauthenticated requests.
- Implement authentication checks on all `/api/model/*` endpoints, ensuring only authorized users can access them.
- Restrict network access to the affected endpoints by using firewall rules or network segmentation to limit exposure.
- Monitor disk usage closely to detect abnormal spikes that may indicate exploitation attempts.
Since no official patches or fixes are available, these steps help reduce the risk until a vendor update is released.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can remotely exploit the missing authentication to perform unauthorized actions on the affected system.
This could lead to unauthorized deletion or downloading of models via the API, potentially compromising the integrity and availability of the system's data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows for missing authentication in the Model API Endpoint, which can be exploited remotely. This weakness could potentially lead to unauthorized access or manipulation of data.
However, there is no specific information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.