Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Serge API Model Endpoint Missing Authentication Risk
CVE-2026-6588
Summary
A security weakness in Serge API Model Endpoint can allow attackers to bypass authentication and access sensitive data remotely. This vulnerability has been made publicly available and can be exploited. Update to the latest version of Serge to fix this issue.
Original title
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model AP...
Original description
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.4
nvd CVSS3.1
6.5
nvd CVSS4.0
6.9
Vulnerability type
CWE-287
Improper Authentication
CWE-306
Missing Authentication for Critical Function
Published: 20 Apr 2026 · Updated: 20 Apr 2026 · First seen: 20 Apr 2026