Description
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.
Published: 2026-04-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Forged JWT
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the use of a weak secret key to sign JSON Web Tokens in lollms version 2.1.0. Because the key can be recovered through an offline brute‑force attack, an attacker can produce admin‑level tokens by altering the token payload and signing it with the cracked key. This allows unauthorized users to impersonate the administrator and access restricted endpoints, effectively giving them full control over the application. The weakness is a classic example of improper access control (CWE‑284).

Affected Systems

The affected product is parisneo lollms version 2.1.0. The flaw was fixed in version 2.2.0. No other versions were listed as impacted.

Risk and Exploitability

The CVSS score is 9.8, indicating a high severity. The EPSS score is < 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an attacker submitting a forged JWT to the application; this is inferred from the description that the token can be tampered with after the key is compromised. Exploitation requires only knowledge of the cracked key and the ability to send HTTP requests, making the threat practical for actors with moderate expertise.

Generated by OpenCVE AI on April 28, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch by upgrading to lollms version 2.2.0 or later
  • Revoke all issued JWTs and rotate the application secret to invalidate any previously forged tokens
  • Configure the application to reject any JWTs signed with untrusted algorithms and enforce the use of a strong secret

Generated by OpenCVE AI on April 28, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Lollms
Lollms lollms
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:lollms:lollms:2.1.0:*:*:*:*:*:*:*
Vendors & Products Lollms
Lollms lollms

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Parisneo
Parisneo lollms
Vendors & Products Parisneo
Parisneo lollms

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.
Title Improper Access Control via Weak JWT Token in parisneo/lollms
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Lollms Lollms
Parisneo Lollms
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-04-07T13:20:46.279Z

Reserved: 2026-01-17T13:03:46.967Z

Link: CVE-2026-1114

cve-icon Vulnrichment

Updated: 2026-04-07T13:20:28.618Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T07:16:23.633

Modified: 2026-04-28T00:00:29.800

Link: CVE-2026-1114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses