External risk intelligence

LocalAI SSRF via Unsanitized Model Apply Endpoint

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-59707

LocalAI is designed as a server-side application that provides AI model endpoints. As an API-based service that often exposes endpoints for model management and interaction, it is commonly deployed as a web-accessible service, making the /models/apply endpoint reachable in many standard deployments.

Server-Side Request Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in LocalAI, a technology that provides AI model endpoints, allowing unauthorized access to internal network resources. This issue could permit external actors to interact with your private systems by leveraging a flaw in how the application handles model requests. The primary concern is to confirm if this technology is in use and if it is exposed to the internet.

  • Unauthorized access to internal network resources.
  • Critical vulnerability affects AI model endpoint technology.
  • Confirm relevance and exposure for potential risk.

Attack Path

How an attacker could exploit the issue

An attacker can initiate a server-side request forgery by sending a specially crafted request to the `/models/apply` endpoint. This endpoint is exposed publicly and does not require authentication. The vulnerability stems from the direct use of unsanitized input from the `gallery URL` field, which the system then uses without proper validation to fetch configurations from arbitrary URLs. This can cause the server to make unintended HTTP requests to internal or loopback network addresses, potentially revealing partial error messages containing sensitive information.

  • No authentication needed to access.
  • Triggered by submitting a malformed URL.
  • Allows fetching arbitrary internal URLs.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to trick the LocalAI server into making requests to arbitrary internal URLs. When supported by the advisory, this could expose system data by leaking partial response content through error messages when attempting to access private or loopback network ranges.

  • System URLs could be fetched.
  • Server issues HTTP GET requests.
  • Partial content may be leaked.

Operational Fix

Recommended remediation, mitigation, and detection steps

The LocalAI application's unauthenticated server-side request forgery vulnerability requires immediate attention from teams managing AI infrastructure and security. The first step is to identify all LocalAI instances, determine their exposure, and confirm if they are business-critical or directly reachable from external networks. Subsequently, the accountable owner must be identified to plan remediation based on the assessed risk.

  • Identify LocalAI instances and exposure.
  • Confirm business criticality and ownership.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is LocalAI?

LocalAI is an open-source framework that provides a self-hosted API for running artificial intelligence models. It enables users to deploy generative AI capabilities—such as text generation and image processing—locally on their own infrastructure, acting as a drop-in replacement for hosted AI cloud services by offering compatible endpoints for developers and internal applications.

What is the weakness in CVE-2026-59707?

This vulnerability is a Server-Side Request Forgery (SSRF), classified as CWE-918. It occurs when a web application accepts a user-provided URL without verifying where it points. In this specific CVE, the LocalAI application blindly trusts input for model configuration, allowing an attacker to force the server to perform unauthorized HTTP GET requests to destinations it was never intended to access.

How is this SSRF vulnerability triggered?

An attacker triggers this by sending a crafted POST request to the /models/apply endpoint, specifically manipulating the 'gallery URL' field. The flaw is triggered regardless of user authentication status; however, the vulnerability is not activated if the server lacks network connectivity to reach the target internal systems or if strict network egress filtering blocks the outbound requests generated by the application.

Is my instance affected by this CVE?

According to Halo Surface Signal, LocalAI is typically deployed as a web-accessible service to facilitate interaction with AI endpoints. Because the /models/apply endpoint is often reachable in standard deployments, instances exposed to the internet are at higher risk. You should determine if your specific implementation allows network access to the API from outside your private environment.

What should I do first to address this?

Start by performing an inventory of all LocalAI instances running in your environment. Prioritize identifying which of these instances are accessible over the internet versus those strictly restricted to internal networks. Once identified, locate the responsible team for each instance to evaluate the risk and prioritize applying security updates or restricting access to the affected endpoint.

References