CVE-2026-6588

MEDIUM 6.5

serge-chat serge Model API Endpoint model.py delete_model missing authentication

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-306 CWE-287
Vendor	serge-chat
Product	serge
Published	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for serge-chat serge

Be the first to know when new medium vulnerabilities affecting serge-chat serge are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

serge-chat / serge

1.4TB

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/358223 vuldb.com: https://vuldb.com/vuln/358223/cti vuldb.com: https://vuldb.com/submit/791089 gist.github.com: https://gist.github.com/YLChen-007/5fbc93a21f9928e91a72ab0d72fb1e88

Credits

🔍 Eric-a (VulDB User) VulDB CNA Team