VIR Vulnerability Intelligence Relay

CVE-2026-1114

critical
Published 2026-04-07 · Modified 2026-04-28
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
VIR risk
9.8

Description

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@huntr.dev — https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34

Application impact
VendorProductVersionsFixed
lollmslollms2.1.0

References

CWEs

CWE-284

Verify integrity in audit chain (admin only). AS-IS.