CVE-2026-5002 Overview
A prompt injection vulnerability has been identified in PromtEngineer localGPT, affecting the _route_using_overviews function within the backend/server.py file of the LLM Prompt Handler component. This vulnerability allows remote attackers to manipulate LLM prompts through injection techniques, potentially leading to unauthorized information disclosure, data manipulation, or unintended system behavior.
The vulnerability exists in localGPT versions up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054. Since localGPT utilizes a rolling release system for continuous delivery, specific version numbers for affected or updated releases are not available. The exploit has been publicly disclosed, and the vendor was contacted but did not respond to the disclosure.
Critical Impact
Remote attackers can inject malicious prompts to manipulate LLM behavior, potentially leading to information leakage, unauthorized actions, or bypassing intended application controls through the network-accessible prompt handler.
Affected Products
- PromtEngineer localGPT (up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054)
- localGPT LLM Prompt Handler component (backend/server.py)
- localGPT installations with exposed network interfaces
Discovery Timeline
- 2026-03-28 - CVE-2026-5002 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-5002
Vulnerability Analysis
This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly known as an Injection vulnerability. In the context of LLM applications, this manifests as a prompt injection attack where user-controlled input is improperly sanitized before being passed to the language model.
The vulnerable function _route_using_overviews in the LLM Prompt Handler fails to adequately validate or sanitize input before incorporating it into prompts sent to the underlying language model. This allows attackers to craft malicious input that alters the intended behavior of the LLM, potentially bypassing security controls, extracting sensitive information from the model's context, or causing the application to perform unintended actions.
The attack is exploitable remotely over the network without requiring authentication, making any exposed localGPT instance a potential target.
Root Cause
The root cause of this vulnerability is insufficient input validation and lack of proper prompt sanitization in the _route_using_overviews function within backend/server.py. The function processes user input and incorporates it into LLM prompts without implementing adequate controls to prevent injection attacks. This allows specially crafted input to escape the intended prompt context and inject arbitrary instructions to the language model.
Attack Vector
The attack vector is network-based, requiring no user interaction or authentication. An attacker can send specially crafted HTTP requests to the localGPT server that contain malicious prompt fragments. These fragments are processed by the _route_using_overviews function and passed to the LLM, where they can:
- Override system instructions intended to control LLM behavior
- Extract sensitive information that may exist in the model's context
- Cause the LLM to generate harmful or misleading content
- Bypass application-level access controls implemented through prompts
The vulnerability is particularly concerning for deployments where localGPT interfaces with sensitive data or has access to additional system capabilities through function calling or tool use features.
Detection Methods for CVE-2026-5002
Indicators of Compromise
- Unusual or malformed requests to the localGPT server endpoint containing prompt injection patterns
- LLM responses that deviate significantly from expected application behavior
- Requests containing known prompt injection phrases such as "ignore previous instructions" or "disregard above"
- Abnormal data exfiltration patterns in LLM responses
- Server logs showing repeated probing attempts against the prompt handler
Detection Strategies
- Implement request logging and monitoring for the localGPT /api/ endpoints to identify suspicious input patterns
- Deploy web application firewall (WAF) rules to detect common prompt injection signatures
- Monitor LLM output for unexpected content patterns or policy violations
- Use anomaly detection on request payloads targeting the prompt handler component
- Implement input validation alerts for requests containing special characters or instruction-like patterns
Monitoring Recommendations
- Enable verbose logging on the localGPT backend server to capture all incoming requests
- Set up alerts for requests with unusually long or complex payloads to the prompt handler
- Monitor network traffic for unexpected outbound connections from the localGPT server
- Track LLM token usage patterns for anomalies that may indicate prompt manipulation
- Review application logs regularly for evidence of attempted exploitation
How to Mitigate CVE-2026-5002
Immediate Actions Required
- Restrict network access to the localGPT server to trusted IP addresses only
- Implement authentication and authorization controls on all API endpoints
- Update localGPT to the latest commit if a fix becomes available
- Deploy input validation and sanitization on all user-supplied data before prompt construction
- Consider taking affected instances offline until proper mitigations are in place
Patch Information
As of the last update, no official patch has been released by the vendor. The vendor was contacted regarding this vulnerability but did not respond. Users should monitor the PromtEngineer localGPT GitHub repository for updates and security patches.
For more information about this vulnerability, refer to the GitHub Issue Discussion and VulDB Vulnerability #353889.
Workarounds
- Implement a reverse proxy with input filtering to sanitize requests before they reach the localGPT server
- Add custom input validation in the application layer to reject requests containing known prompt injection patterns
- Use network segmentation to limit access to the localGPT deployment to authorized users only
- Implement rate limiting on API endpoints to slow down automated exploitation attempts
- Consider deploying prompt injection detection libraries or middleware to filter malicious inputs
# Configuration example - Network restriction using iptables
# Restrict access to localGPT server (default port 5110) to trusted IPs only
iptables -A INPUT -p tcp --dport 5110 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5110 -j DROP
# Enable logging for dropped connections
iptables -A INPUT -p tcp --dport 5110 -j LOG --log-prefix "localGPT-blocked: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
