MEDIUM
The severity rating is MEDIUM due to the potential for unauthorized access through newly introduced features like Qwen3 TTS and Ace Step 1.5 support, but there are no known exploits yet. The real-world exploitability in both homelab and production environments remains uncertain until more details emerge about possible vulnerabilities.

KoboldCpp 1.110 is a software release that marks the three-year anniversary of its initial launch. This update introduces several new features, including high-quality Qwen3 TTS voice cloning and native support for Ace Step 1.5 for music generation. The implementation of these features could potentially expose vulnerabilities related to audio processing and text-to-speech functionalities if not properly secured. Given the nature of the software, which involves handling various types of input data from users and potentially sensitive information, there is a risk of unauthorized access or exploitation through these new features. Engineers and sysadmins should be aware that while these updates bring valuable capabilities, they also introduce security concerns that need to be addressed proactively.

Affected Systems
  • KoboldCpp 1.110
Affected Versions: version 1.110
Remediation
  • Review the documentation for version 1.110 to understand new security features and best practices.
  • Implement input validation and sanitization routines where Qwen3 TTS and Ace Step 1.5 are used.
  • Monitor system logs for any unusual activity related to these new features.
Stack Impact

The impact on homelab stacks is minimal unless users have integrated KoboldCpp with other services that could be exploited through the new audio generation capabilities. Specifically, configurations in 'config.json' and commands using the TTS or music generation functionalities should be reviewed for security.

Source →