In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| LoLLMs | pip | < 2.2.0 | 2.2.0 |
Do you use LoLLMs? You're affected.
How severe is it?
What is the attack surface?
What should I do?
Patch available
Update LoLLMs to version 2.2.0
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-1114?
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.
Is CVE-2026-1114 actively exploited?
No confirmed active exploitation of CVE-2026-1114 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-1114?
Update to patched version: LoLLMs 2.2.0.
What is the CVSS score for CVE-2026-1114?
CVE-2026-1114 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.54%.
What are the technical details?
Original Advisory
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.
Weaknesses (CWE)
CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- [Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-1115 9.6 lollms: Stored XSS enables wormable account takeover
Same package: lollms CVE-2024-6982 8.4 lollms: RCE via eval() sandbox bypass in Calculate
Same package: lollms CVE-2026-1117 8.2 lollms: Access Control bypass enables privilege escalation
Same package: lollms CVE-2025-6386 7.5 lollms: timing attack enables credential enumeration
Same package: lollms CVE-2024-6581 6.5 Lollms: SVG upload XSS enables session hijack and RCE
Same package: lollms