CVE-2026-5000
Published: 28 March 2026
Summary
CVE-2026-5000 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the missing authentication in LocalGPTHandler by requiring explicit limitation and protection of actions permitted without identification or authentication on the API endpoint.
Enforces approved authorizations to block unauthorized remote access and manipulation via the vulnerable BaseHTTPRequestHandler argument in the API endpoint.
Mandates identification and authentication for non-organizational users, preventing exploitation of the unauthenticated remote API endpoint by external attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication bypass on network-accessible API endpoint (LocalGPTHandler) directly enables remote exploitation of a public-facing application for unauthorized access.
NVD Description
A vulnerability was detected in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Impacted is the function LocalGPTHandler of the file backend/server.py of the component API Endpoint. The manipulation of the argument BaseHTTPRequestHandler results in missing authentication. The attack can be executed remotely.…
more
This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-5000 is a missing authentication vulnerability affecting PromtEngineer localGPT up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The issue resides in the LocalGPTHandler function within the backend/server.py file of the API Endpoint component, where manipulation of the BaseHTTPRequestHandler argument bypasses required authentication. This flaw, associated with CWEs-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-03-28.
Remote attackers require only network access to exploit this vulnerability, with no privileges, user interaction, or high complexity needed. Successful exploitation grants unauthorized access to the API endpoint, potentially allowing limited compromise of confidentiality, integrity, and availability, such as reading sensitive data, modifying requests, or disrupting service.
Advisories from VulDB (vuln/353887) and a GitHub issue (August829/CVEP/issues/8) detail the flaw but note no vendor response despite early contact, and the product's rolling release model provides no specific version information for affected or patched releases. Practitioners should audit deployments up to the listed commit, implement network segmentation, and consider adding custom authentication wrappers until upstream fixes emerge.
Details
- CWE(s)