CVE-2026-1163 - Vulnerability Details

- Insufficient Session Expiration in parisneo/lollms

Description

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.

Published: 2026-04-08

Score: 4.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An insufficient session expiration vulnerability causes the application to keep an active session token valid even after a user resets their password. The lack of a mechanism to reject requests after inactivity and the default 31-day session lifetime allow an attacker who already holds a session cookie to maintain access, leading to persistent unauthorized control of the compromised account.

Affected Systems

The Parisneo lollms application is affected, specifically the latest publicly released version(s). No detailed version range is disclosed, so deployments using the default 31-day session configuration should be reviewed for exposure.

Risk and Exploitability

The CVSS base score of 4.1 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is possession of an active session cookie prior to the password reset; an attacker can trigger a password change and then continue using the old token because the session is not invalidated. EPSS data is unavailable, but the moderate score suggests that exploitation could occur if the conditions are met.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

parisneo

parisneo/lollms

affected

Version	Status	Constraints
`unspecified`	affected	≤ latest

No data.

Vendor Product Confidence Versions

Parisneo

Lollms

100%

Version	Status	Scheme	Platform
`unspecified`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website or security page for an updated release that adds session invalidation on password change and limits session duration.
If no patch is available, immediately reduce the session timeout to a short period (e.g., 2–4 hours) and enforce idle‑timeout policies.
Implement a server‑side check that invalidates all active sessions whenever a password reset occurs.
Monitor session activity logs for anomalous long‑lived sessions and alert administrators.
If possible, enforce multi‑factor authentication to limit the impact of a stolen session token.

Generated by OpenCVE AI on April 8, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8jg2-726g-xh43	parisneo/lollms has an insufficient session expiration vulnerability

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b

History

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Parisneo lollms
Vendors & Products		Parisneo lollms

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Parisneo Parisneo parisneo/lollms
Vendors & Products		Parisneo Parisneo parisneo/lollms

Wed, 08 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.
Title		Insufficient Session Expiration in parisneo/lollms
Weaknesses		CWE-613
References		https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b
Metrics		cvssV3_0 `{'score': 4.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Parisneo Lollms Parisneo/lollms

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2026-04-08T02:20:50.573Z

Updated: 2026-04-08T15:58:36.451Z

Reserved: 2026-01-18T21:30:57.148Z

Link: CVE-2026-1163

Vulnrichment

Updated: 2026-04-08T15:58:33.466Z

NVD

Status : Awaiting Analysis

Published: 2026-04-08T03:16:07.500

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-1163

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:44:09Z

Weaknesses

CWE-613

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object