Description
A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service.
Published: 2026-02-02
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in lollms_generation_events.py of parisneo/lollms version 5.9.0. Event handlers such as generate_text, cancel_generation, generate_msg, and generate_msg_from are registered without any authentication or authorization checks. This lets anyone who can connect to the Socket.IO interface invoke these operations, which are resource‑intensive and may alter server state. As a result, an attacker can consume resources, cause a denial of service, corrupt internal state, or trigger race conditions that affect other clients.

Affected Systems

Affected by version 5.9.0 of the lollms project maintained by parisneo. The vulnerability resides specifically in the lollms_generation_events.py file and can be exploited on any instance running that version.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, but the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw simply by connecting to the Socket.IO endpoint without authentication, so the risk remains significant for exposed deployments. Organizations with publicly reachable lollms services should treat this vulnerability as high risk and act quickly.

Generated by OpenCVE AI on April 18, 2026 at 00:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest patched version of lollms that implements authentication for Socket.IO events.
  • Add authentication or authorization checks to the event handlers in lollms_generation_events.py to restrict access to trusted users.
  • Restrict Socket.IO connections to trusted IP addresses or networks by configuring firewalls or network segmentation to reduce the number of clients that can reach the vulnerable endpoints.

Generated by OpenCVE AI on April 18, 2026 at 00:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-82fw-ch24-j34w Lollms has an Improper Access Control vulnerability
History

Wed, 04 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Parisneo
Parisneo lollms
Vendors & Products Parisneo
Parisneo lollms

Mon, 02 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service.
Title Improper Access Control in parisneo/lollms
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 8.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Parisneo Lollms
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-02-02T17:49:47.974Z

Reserved: 2026-01-17T18:09:10.741Z

Link: CVE-2026-1117

cve-icon Vulnrichment

Updated: 2026-02-02T17:49:43.693Z

cve-icon NVD

Status : Deferred

Published: 2026-02-02T10:16:06.500

Modified: 2026-04-15T14:34:27.800

Link: CVE-2026-1117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses