CVE-2026-1114
NONE EPSS 41.3%
Published Apr 7, 20262mo ago · Modified Jun 17, 20261w ago
Published Apr 7, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago
Description
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.
Threat Intelligence
EPSS Exploit Probability
41.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-284
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| lollms | lollms | 2.1.0 | any |
References 2
- github.com https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34
- huntr.com https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89
Remediation
- github.com https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34