CVE-2026-6588
Published: 20 April 2026
Summary
CVE-2026-6588 is a medium-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23729
Vulnerability details
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be…
more
launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication (CWE-287/306) on remote Model API endpoints directly enables exploitation of a public-facing application.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session content review can reveal authentication bypasses or failures in session establishment.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.
Documented IA policy and procedures require proper authentication mechanisms to be defined and followed, reducing improper authentication.
Requires adaptive authentication under specific conditions, directly strengthening authentication mechanisms against improper or insufficient authentication.
Identity providers centralize and enforce authentication mechanisms, reducing improper authentication.
Requires unique identification and authentication of organizational users, directly preventing improper authentication.
Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses.
Directly requires implementation of compliant authentication mechanisms to cryptographic modules, preventing improper authentication.