{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5000", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T13:48:21.340Z", "datePublished": "2026-03-28T15:00:16.421Z", "dateUpdated": "2026-03-28T15:00:16.421Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-28T15:00:16.421Z"}, "title": "PromtEngineer localGPT API Endpoint server.py LocalGPTHandler missing authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "Missing Authentication"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "PromtEngineer", "product": "localGPT", "versions": [{"version": "4d41c7d1713b16b216d8e062e51a5dd88b20b054", "status": "affected"}], "modules": ["API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing authentication. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T14:54:00.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yu_Bao (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/353887", "name": "VDB-353887 | PromtEngineer localGPT API Endpoint server.py LocalGPTHandler missing authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/353887/cti", "name": "VDB-353887 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/778315", "name": "Submit #778315 | PromtEngineer localGPT Latest (commit 4d41c7d) Missing Authentication and Authorization", "tags": ["third-party-advisory"]}, {"url": "https://github.com/August829/CVEP/issues/8", "tags": ["issue-tracking"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing authentication. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-5000", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-28T15:16:38.563", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/August829/CVEP/issues/8"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/778315"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353887"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/353887/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "4d41c7d1713b16b216d8e062e51a5dd88b20b054"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "localGPT", "source": "cna", "vendor": "PromtEngineer"}, "product": "localgpt", "vendor": "promtengineer"}], "analysis": {"en": {"generated_at": "2026-03-28T16:20:34.437862+00:00", "value": {"mitigation_remediation": ["Verify if localGPT is deployed and determine version.", "Check the project repository or the vendor's website for a patch or newer commit that addresses the authentication bypass.", "Apply any available patch or upgrade to a fixed version.", "If no fix exists, isolate the API endpoint by restricting inbound traffic through firewall or network segmentation.", "Enable detailed logging for API requests to detect unauthorized activity.", "Reach out to PromtEngineer for an update or acknowledgement of the defect.", "Monitor for exploitation indicators in logs and network traffic."], "summary": {"action": "Apply Fix", "impact": "Remote Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the PromtEngineer localGPT product. All releases based on the commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054 or earlier are unpatched. Because the project follows a rolling release model, specific version numbers are not disclosed, meaning that any installed instance that has not applied a fix is susceptible.", "description_and_impact": "A flaw named PromtEngineer localGPT API Endpoint server.py LocalGPTHandler missing authentication permits attackers to call the LocalGPT API endpoint without needing credentials. The bug arises from improper handling of the BaseHTTPRequestHandler arguments, allowing the request to bypass authentication checks. As a result, an attacker can retrieve or influence data processed by LocalGPT, potentially accessing sensitive content or injecting malicious requests.", "risk_and_exploitability": "The CVSS score of 6.9 indicates medium to high risk, and the absence of an EPSS score leaves uncertainty about exploitation likelihood. The vulnerability is exploitable remotely via the exposed API endpoint, and the lack of authentication allows attackers to execute arbitrary requests or retrieve data. Since the product does not list the CVE in the KEV catalog, it may be less widely exploited, yet the potential impact for compromised accounts remains significant. Prompt attention to patching or mitigation is recommended."}}}}, "created": "2026-03-29T20:32:09.160055+00:00", "updated": "2026-03-30T06:59:02.651190+00:00", "vendors": ["promtengineer", "promtengineer$PRODUCT$localgpt"]}