PromtEngineer localGPT Missing Authentication Vulnerability (CVE-2026-5000)
A missing authentication vulnerability (CVE-2026-5000) exists in PromtEngineer localGPT's API Endpoint, allowing remote attackers to bypass authentication by manipulating the BaseHTTPRequestHandler argument, potentially leading to unauthorized access and data manipulation.
A missing authentication vulnerability has been identified in PromtEngineer localGPT, specifically in versions up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054. This flaw resides within the LocalGPTHandler function of the backend/server.py file, affecting the API Endpoint component. By manipulating the BaseHTTPRequestHandler argument, a remote attacker can bypass authentication mechanisms, gaining unauthorized access to the application's functionalities. Given the rolling release nature of localGPT, pinpointing specific vulnerable versions is challenging. Successful exploitation could grant attackers significant control over the localGPT instance, potentially leading to data breaches or system compromise. The vendor was notified but did not respond.
Attack Chain
- The attacker identifies a vulnerable localGPT instance running a version up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054.
- The attacker crafts a malicious HTTP request targeting the API Endpoint.
- The crafted request manipulates the
BaseHTTPRequestHandlerargument. - The
LocalGPTHandlerfunction processes the manipulated request without proper authentication checks. - The attacker bypasses authentication and gains unauthorized access to the API Endpoint.
- The attacker can now perform privileged actions, such as accessing sensitive data or modifying application settings.
- The attacker could potentially exfiltrate data or inject malicious content.
- The final objective is complete compromise of the localGPT instance, data theft, or disruption of services.
Impact
Successful exploitation of CVE-2026-5000 allows unauthorized remote access to PromtEngineer localGPT instances. This could lead to the exposure of sensitive data processed by the application, modification of configurations, or injection of malicious content. The absence of versioning makes assessing the number of vulnerable installations difficult, but the impact on affected systems is significant, potentially resulting in data breaches, intellectual property theft, and reputational damage.
Recommendation
- Inspect web server logs for unusual requests to the
/apiendpoint that contain malformed or unexpected parameters in the request body, focusing on those affecting authentication or authorization processes. Use the "Detect Suspicious API Endpoint Access" Sigma rule below. - Monitor HTTP requests to the localGPT instance, specifically those targeting the API endpoint, for unusual manipulation of request headers or parameters, focusing on parameters related to authentication. Use the "Detect LocalGPT Authentication Bypass Attempt" Sigma rule.
- While a patch is unavailable, implement rate limiting and input validation on the API endpoint to mitigate potential exploitation attempts based on abnormal traffic patterns.
Detection coverage 2
Detect Suspicious API Endpoint Access
highDetects suspicious access patterns to the API endpoint, potentially indicating an attempted authentication bypass.
Detect LocalGPT Authentication Bypass Attempt
mediumDetects attempts to bypass authentication in localGPT by manipulating request parameters.
Detection queries are available on the platform. Get full rules →