{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6588", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T09:03:50.771Z", "datePublished": "2026-04-20T00:15:12.174Z", "dateUpdated": "2026-04-20T00:15:12.174Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T00:15:12.174Z"}, "title": "serge-chat serge Model API Endpoint model.py delete_model missing authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "Missing Authentication"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "serge-chat", "product": "serge", "versions": [{"version": "1.4TB", "status": "affected"}], "modules": ["Model API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T11:08:56.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-a (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358223", "name": "VDB-358223 | serge-chat serge Model API Endpoint model.py delete_model missing authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358223/cti", "name": "VDB-358223 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791089", "name": "Submit #791089 | serge-chat serge <= 3cb250c Missing Authentication for Critical Function (CWE-306)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/5fbc93a21f9928e91a72ab0d72fb1e88", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function download_model/delete_model of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6588", "lastModified": "2026-04-20T01:16:30.867", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T01:16:30.867", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/YLChen-007/5fbc93a21f9928e91a72ab0d72fb1e88"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791089"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358223"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358223/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T02:21:09.225450+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch or upgrade to the latest release that enforces authentication on the delete_model endpoint. ", "Place the delete_model API behind a firewall or API gateway and require valid authentication tokens before allowing delete requests. ", "Enable logging of all delete_model calls and monitor for unauthorized activity to detect and respond to any compromise quickly."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized deletion of model data"}, "threat_synthesis": {"affected_systems": "All installations of serge-chat serge up to version 1.4TB that have not applied the vendor\u2019s fix are susceptible to unauthenticated model deletion.", "description_and_impact": "The flaw is a missing authentication check in the delete_model API of serge-chat\u2019s serge component. An unauthenticated user can send a delete request and remove a stored model. Because the endpoint is reachable over the network and the exploit is publicly available, attackers can execute this action from anywhere, leading to loss of model data and disruption of the chatbot\u2019s knowledge base.", "risk_and_exploitability": "With a CVSS score of 6.9 the vulnerability is classified as medium severity. The remote attack surface and lack of authentication make exploitation straightforward, though EPSS data is not available and the flaw is not listed in CISA\u2019s KEV catalog. The public availability of the exploit increases the probability that a real attacker will target affected systems."}}}}, "created": "2026-04-20T02:30:41.039968+00:00", "updated": "2026-04-20T02:30:41.039986+00:00", "vendors": []}