Description
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.
Published: 2026-03-29
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Service Disruption and Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated vulnerability exists in the file extraction endpoint of the Parisneo/Lollms application. The /api/files/extract-text route allows any remote user to upload and process files without the required authentication dependency, enabling arbitrary file handling. This flaw can lead to resource exhaustion, causing a denial of service, and may expose sensitive content from uploaded files, thereby violating the application's intended security posture.

Affected Systems

The issue affects the Parisneo/Lollms product up to and including version 2.2.0. Environment configurations that expose the vulnerable endpoint without additional controls are directly at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 9.8, denoting critical severity. Although the EPSS score is below 1%, indicating a low current exploitation probability, once discovered it could be leveraged easily through standard HTTP requests without any authentication. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is over the network to the exposed API endpoint.

Generated by OpenCVE AI on April 1, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version newer than 2.2.0 that enforces authentication on the /api/files/extract-text endpoint.

Generated by OpenCVE AI on April 1, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Lollms
Lollms lollms
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*
Vendors & Products Lollms
Lollms lollms
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Parisneo
Parisneo parisneo/lollms
Vendors & Products Parisneo
Parisneo parisneo/lollms

Sun, 29 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.
Title Unauthenticated File Upload in parisneo/lollms
Weaknesses CWE-287
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Lollms Lollms
Parisneo Parisneo/lollms
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-03-30T15:23:41.471Z

Reserved: 2026-01-01T21:43:51.283Z

Link: CVE-2026-0558

cve-icon Vulnrichment

Updated: 2026-03-30T15:23:32.181Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T18:16:13.250

Modified: 2026-03-31T19:45:54.220

Link: CVE-2026-0558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:04Z

Weaknesses