Description
A vulnerability was found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. This affects the function handle_index of the file rag_system/api_server.py of the component Web Interface. Performing a manipulation results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A flaw in the handle_index function of rag_system/api_server.py in PromtEngineer localGPT allows an attacker to obtain sensitive data by sending a specially crafted request to its web interface. The vulnerability reflects improper privilege management and information exposure and could reveal configuration details or other confidential content served by the API.

Affected Systems

The affected component is the web interface of PromtEngineer localGPT. Any installation built from the commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054 or earlier is vulnerable. Because the project uses a rolling release model, no explicit version numbers are available; a patched commit must be applied as soon as one is released.

Risk and Exploitability

The vulnerability carries a severity rating of 6.9, indicating moderate risk. No publicly available exploit probability statistic is present, and it is not listed in the Known Exploited Vulnerabilities catalog, but a public exploit demonstrates its feasibility. Attackers can trigger the information disclosure remotely by manipulating the API request without needing local privileges or authentication.

Generated by OpenCVE AI on March 28, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the newest patch or update to PromtEngineer localGPT when it is released
  • Restrict inbound traffic to the /api_server endpoint so only trusted hosts can reach it
  • Monitor web server logs for anomalous activity targeting the handle_index endpoint
  • Contact PromtEngineer for a formal patch or response to the disclosure
  • If a patch is not available, consider disabling or removing the vulnerable API endpoint

Generated by OpenCVE AI on March 28, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Promtengineer
Promtengineer localgpt
Vendors & Products Promtengineer
Promtengineer localgpt

Sat, 28 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. This affects the function handle_index of the file rag_system/api_server.py of the component Web Interface. Performing a manipulation results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Title PromtEngineer localGPT Web api_server.py handle_index information disclosure
Weaknesses CWE-200
CWE-284
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Promtengineer Localgpt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T15:54:08.127Z

Reserved: 2026-03-27T13:48:30.630Z

Link: CVE-2026-5003

cve-icon Vulnrichment

Updated: 2026-03-30T15:54:01.662Z

cve-icon NVD

Status : Deferred

Published: 2026-03-28T18:15:57.127

Modified: 2026-04-24T16:36:24.067

Link: CVE-2026-5003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:59Z

Weaknesses