Server-Side Request Forgery Vulnerability in LocalAI by Mudler
CVE-2026-59707
9.2CRITICAL
What is CVE-2026-59707?
An unauthenticated server-side request forgery vulnerability exists in LocalAI's POST /models/apply endpoint. This flaw allows malicious actors to exploit unsanitized gallery URL fields, leading the server to make unauthorized HTTP GET requests to internal and private ranges. As a result, sensitive information may be inadvertently disclosed through error messages, posing a significant risk to data integrity and security.
Affected Version(s)
LocalAI 0
