CRITICAL
LocalAI
CVE published 2026-07-07
CVE-2026-59707
A critical server-side request forgery vulnerability exists in LocalAI's POST /models/apply endpoint, enabling attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper validation, allowing attackers to force the server to issue HTTP GET requests to private and loopback ranges. Partial response conte [truncated]