Server-Side Request Forgery Vulnerability in LocalAI by Mudler
CVE-2026-59707

9.2CRITICAL

Key Information:

Vendor

Localai

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-59707?

An unauthenticated server-side request forgery vulnerability exists in LocalAI's POST /models/apply endpoint. This flaw allows malicious actors to exploit unsanitized gallery URL fields, leading the server to make unauthorized HTTP GET requests to internal and private ranges. As a result, sensitive information may be inadvertently disclosed through error messages, posing a significant risk to data integrity and security.

Affected Version(s)

LocalAI 0

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.