CVE-2026-1114Improper Access Control in Lollms

CWE-284Improper Access ControlCWE-476NULL Pointer Dereference4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 81.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Parisneo Lollms
Timeline
PublishedApr 7

Description

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impers

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

CVEListV5parisneo/parisneo_lollmsunspecified2.2.0

🔴Vulnerability Details

1
GHSA
GHSA-9296-v3fr-j92j: In parisneo/lollms version 22026-04-07