CVE-2026-59707 — LocalAI Unauthenticated SSRF in Model Apply Endpoint
What Happened
- CVE-2026-59707 was publicly disclosed on July 7, 2026 — a High severity (CVSS 8.6) unauthenticated Server-Side Request Forgery in LocalAI.
- The vulnerability exists in the
POST /models/applyendpoint, which accepts gallery configuration data including URL fields. - The endpoint passes unsanitized gallery URL fields directly to
gallery.GetGalleryConfigFromURLWithContextwithout proper validation. - Attackers can force the LocalAI server to issue HTTP GET requests to arbitrary internal URLs — including private and loopback ranges (127.0.0.1, 169.254.x.x, internal cloud metadata endpoints).
- Partial response content is leaked through error messages, enabling data extraction from internal services.
- No authentication is required — any network-reachable client can exploit this.
- LocalAI is a popular open-source self-hosted AI inference server, widely used for running local LLMs in development and production environments.
- A fix has been committed to the repository; users should update immediately.
Why It Matters
Self-hosted AI inference servers like LocalAI often run in environments with access to internal networks, cloud metadata services, and other sensitive infrastructure. An unauthenticated SSRF with no user interaction means any exposed LocalAI instance becomes a pivot point for internal network reconnaissance. Cloud environments are especially at risk — AWS/GCP/Azure metadata endpoints at 169.254.169.254 can leak IAM credentials.
What To Do
- Update LocalAI to the latest version immediately — the fix is available in the repository.
- If you cannot patch right now: restrict network access to the
/models/applyendpoint using firewall rules or a reverse proxy. - Block outbound requests to internal/private IP ranges at the network level for any host running LocalAI.
- Audit access logs for suspicious requests to internal URLs, especially cloud metadata endpoints.
- Consider running LocalAI in a network-isolated container with no access to internal infrastructure.