Platform
python
Component
cvep
Fixed in
4.0.1
CVE-2026-5001 describes an unrestricted upload vulnerability affecting PromtEngineer's localGPT. This flaw allows remote attackers to upload arbitrary files due to improper input validation in the do_POST function within backend/server.py. The affected version is up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054. There is currently no official patch available for this vulnerability.
A security vulnerability has been identified in PromptEngineer's localGPT, specifically within the do_POST function of the backend/server.py file, up to version 4d41c7d1713b16b216d8e062e51a5dd88b20b054. This vulnerability allows for unrestricted file uploads, potentially enabling a remote attacker to upload malicious files to the system. Given localGPT's rolling release strategy, specific affected or updated versions cannot be specified. This means any instance running a version prior to the fix is potentially vulnerable. The public release of an exploit increases the risk of attacks.
The vulnerability permits unrestricted file uploads via an HTTP POST request. A remote attacker can exploit this by sending a POST request with a malicious file. The lack of validation within the do_POST function allows the file to be uploaded without type or size verification. The public availability of the exploit facilitates exploitation by attackers with varying levels of technical skill. The remote nature of the exploitation means the attacker doesn’t require physical access to the affected system.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
Due to localGPT's continuous delivery (rolling release) nature, there isn't a specific patch update available. The recommended mitigation is to update to the latest available version of localGPT as soon as possible. While specific versions cannot be specified, each new release should incorporate security fixes. Additionally, limiting access to the localGPT instance to trusted users and networks is recommended. Monitoring server logs for suspicious activity can also help detect and respond to potential attacks. Contacting the vendor for information on the latest updates and best security practices is strongly advised.
Actualizar a una versión posterior a 4d41c7d1713b16b216d8e062e51a5dd88b20b054 que corrija la vulnerabilidad de carga irrestricta. Dado que el proyecto utiliza una estrategia de rolling release, se recomienda obtener la última versión disponible del repositorio.
Vulnerability analysis and critical alerts directly to your inbox.
It means the software is continuously updated with new versions instead of periodic major releases.
Due to the 'rolling release' model, it's difficult to determine the exact version. Updating to the latest available version is the best way to mitigate the risk.
Any type of file, including executables, malicious scripts, or files that could compromise system integrity.
Disconnect the system from the network, change passwords, and contact a cybersecurity professional for assessment and cleanup.
Limiting access to the localGPT instance and monitoring server logs are temporary measures that can help reduce the risk.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.