Description
A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing authentication. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Unauthorized Access
Action: Apply Fix
AI Analysis

Impact

A flaw named PromtEngineer localGPT API Endpoint server.py LocalGPTHandler missing authentication permits attackers to call the LocalGPT API endpoint without needing credentials. The bug arises from improper handling of the BaseHTTPRequestHandler arguments, allowing the request to bypass authentication checks. As a result, an attacker can retrieve or influence data processed by LocalGPT, potentially accessing sensitive content or injecting malicious requests.

Affected Systems

The vulnerability affects the PromtEngineer localGPT product. All releases based on the commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054 or earlier are unpatched. Because the project follows a rolling release model, specific version numbers are not disclosed, meaning that any installed instance that has not applied a fix is susceptible.

Risk and Exploitability

The CVSS score of 6.9 indicates medium to high risk, and the absence of an EPSS score leaves uncertainty about exploitation likelihood. The vulnerability is exploitable remotely via the exposed API endpoint, and the lack of authentication allows attackers to execute arbitrary requests or retrieve data. Since the product does not list the CVE in the KEV catalog, it may be less widely exploited, yet the potential impact for compromised accounts remains significant. Prompt attention to patching or mitigation is recommended.

Generated by OpenCVE AI on March 28, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify if localGPT is deployed and determine version.
  • Check the project repository or the vendor's website for a patch or newer commit that addresses the authentication bypass.
  • Apply any available patch or upgrade to a fixed version.
  • If no fix exists, isolate the API endpoint by restricting inbound traffic through firewall or network segmentation.
  • Enable detailed logging for API requests to detect unauthorized activity.
  • Reach out to PromtEngineer for an update or acknowledgement of the defect.
  • Monitor for exploitation indicators in logs and network traffic.

Generated by OpenCVE AI on March 28, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Promtengineer
Promtengineer localgpt
Vendors & Products Promtengineer
Promtengineer localgpt

Sat, 28 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing authentication. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Title PromtEngineer localGPT API Endpoint server.py LocalGPTHandler missing authentication
Weaknesses CWE-287
CWE-306
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Promtengineer Localgpt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T14:06:09.042Z

Reserved: 2026-03-27T13:48:21.340Z

Link: CVE-2026-5000

cve-icon Vulnrichment

Updated: 2026-04-01T14:06:03.258Z

cve-icon NVD

Status : Deferred

Published: 2026-03-28T15:16:38.563

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-5000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:02Z

Weaknesses