CVE-2026-6588

Name of the Vulnerable Software and Affected Versions serge-chat versions prior to 1.4TB

Description A flaw in the Model API Endpoint allows remote attackers to bypass authentication. This issue exists within the download model and delete model functions located in the 'api/src/serge/routers/model.py' file. Exploitation of this weakness can lead to unauthorized actions, including the deletion of models, and has been observed in real-world incidents.

Recommendations Update to a version later than 1.4TB. As a temporary workaround, restrict access to the download model and delete model functions in the Model API Endpoint to minimize the risk of exploitation.