Description
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.
Published: 2026-03-29
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Denial of Service and Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows anyone on the network to send requests to the "/api/files/extract-text" endpoint and upload arbitrary files without needing credentials. Because the endpoint does not enforce authentication and lacks proper request size or resource limits, an attacker can upload large or malicious files that consume CPU or memory, leading to resource exhaustion and a denial of service. The ability to process files also potentially exposes sensitive data contained in the uploaded files or in the service’s internal processing logs, violating the application’s documented security policies.

Affected Systems

The issue affects the open‑source project parisneo/lollms, specifically versions up to and including 2.2.0. Any deployment of this version that exposes the /api/files/extract-text endpoint to unauthenticated users is vulnerable.

Risk and Exploitability

With a CVSS base score of 7.5, the vulnerability is considered high severity. No EPSS data is available and it is not currently listed in the CISA KEV catalog, but the lack of authentication makes exploitation trivial to anyone who can reach the endpoint. An attacker can simply craft large files or repeated requests to trigger a DoS, and the endpoint’s open processing may also reveal internal information. The likelihood of exploitation is high due to the obvious lack of access control.

Generated by OpenCVE AI on March 29, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update parisneo/lollms to any release newer than 2.2.0 that enforces authentication on the "/api/files/extract-text" endpoint.
  • If an immediate upgrade is not possible, restrict access to the endpoint using firewall rules or reverse‑proxy authentication so that only trusted IPs or users can reach it.
  • Apply request size limits and rate‑limit the file upload endpoint to prevent resource exhaustion.
  • Verify that the updated version does not expose any other unauthenticated file handling paths and monitor logs for suspicious upload activity.

Generated by OpenCVE AI on March 29, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.
Title Unauthenticated File Upload in parisneo/lollms
Weaknesses CWE-287
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-03-29T17:53:08.003Z

Reserved: 2026-01-01T21:43:51.283Z

Link: CVE-2026-0558

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-29T18:16:13.250

Modified: 2026-03-29T18:16:13.250

Link: CVE-2026-0558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:31:14Z

Weaknesses