AI Threat Alert AI Threat Alert

CVE-2026-1117: lollms: Access Control bypass enables privilege escalation

GHSA-82fw-ch24-j34w HIGH CISA: TRACK*
Published February 2, 2026
CISO Take

If your org runs parisneo/lollms exposed to any untrusted network, this is patch-now. Any unauthenticated Socket.IO client can trigger unbounded LLM inference, cancel running generations, and corrupt global server state — zero credentials required. Upgrade to lollms 2.1.0 immediately; if patching is delayed, enforce network-layer access control (firewall or authenticated reverse proxy) before the next business day.

Risk Assessment

High risk for internet-exposed or shared-network lollms deployments. CVSS 8.2 with no privileges required and trivially low attack complexity — any Socket.IO client suffices, no AI/ML knowledge needed. EPSS 0.00078 indicates limited active exploitation at time of publication, but the barrier to exploit is near-zero. The global state architecture amplifies blast radius in multi-user environments: a single attacker degrades service for all concurrent users simultaneously. Organizations running lollms as a shared inference frontend in AI labs or developer environments face the highest exposure.

Affected Systems

Package Ecosystem Vulnerable Range Patched
lollms pip < 2.1.0 2.1.0
72 Pushed 7d ago 33% patched ~1d to patch Full package profile →

Do you use lollms? You're affected.

Severity & Risk

CVSS 3.1
8.2 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 24% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I Low
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to lollms >= 2.1.0 which adds authentication checks to Socket.IO event handlers.

  2. ISOLATE (if patching delayed): Restrict lollms port access to trusted IPs via firewall rules or reverse proxy ACL — lollms must never be directly internet-accessible.

  3. PROXY

    Place lollms behind an authenticated reverse proxy (nginx + oauth2-proxy or basic auth as minimum).

  4. DETECT

    Monitor Socket.IO connections for anomalous patterns — >10 generate events/min from a single IP, or repeated cancel_generation calls with no preceding generate, should trigger alerts.

  5. AUDIT

    Review all lollms deployments in your environment for network exposure before closing this finding.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass DoS API Inference Framework AML.T0029 AML.T0034 AML.T0040 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI System Access Control
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2026-1117?

If your org runs parisneo/lollms exposed to any untrusted network, this is patch-now. Any unauthenticated Socket.IO client can trigger unbounded LLM inference, cancel running generations, and corrupt global server state — zero credentials required. Upgrade to lollms 2.1.0 immediately; if patching is delayed, enforce network-layer access control (firewall or authenticated reverse proxy) before the next business day.

Is CVE-2026-1117 actively exploited?

No confirmed active exploitation of CVE-2026-1117 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-1117?

1. PATCH: Upgrade to lollms >= 2.1.0 which adds authentication checks to Socket.IO event handlers. 2. ISOLATE (if patching delayed): Restrict lollms port access to trusted IPs via firewall rules or reverse proxy ACL — lollms must never be directly internet-accessible. 3. PROXY: Place lollms behind an authenticated reverse proxy (nginx + oauth2-proxy or basic auth as minimum). 4. DETECT: Monitor Socket.IO connections for anomalous patterns — >10 generate events/min from a single IP, or repeated cancel_generation calls with no preceding generate, should trigger alerts. 5. AUDIT: Review all lollms deployments in your environment for network exposure before closing this finding.

What systems are affected by CVE-2026-1117?

This vulnerability affects the following AI/ML architecture patterns: local model serving, self-hosted LLM UI, multi-user inference frontends, AI developer environments.

What is the CVSS score for CVE-2026-1117?

CVE-2026-1117 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service.

Exploitation Scenario

Attacker discovers an internet-exposed lollms instance via Shodan (searching for lollms default port 9600 or custom ports). Using a standard Socket.IO client library (socket.io-client, python-socketio), they connect without authentication. They emit rapid generate_text events with maximally expensive prompts (e.g., long context + high token count completions). Simultaneously, a second attack client emits cancel_generation events to interrupt legitimate users. The global lollmsElfServer.busy flag ensures legitimate generation requests are queued indefinitely while attacker jobs consume all resources. With three concurrent attack clients creating interleaved generate/cancel/generate sequences, they trigger a race condition that leaves the server in an inconsistent state, taking the service offline for all users.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

Timeline

Published
February 2, 2026
Last Modified
February 2, 2026
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-1115 9.6

lollms: Stored XSS enables wormable account takeover

Same package: lollms
HIGH CVE-2024-6982 8.4

lollms: RCE via eval() sandbox bypass in Calculate

Same package: lollms
HIGH CVE-2025-6386 7.5

lollms: timing attack enables credential enumeration

Same package: lollms
MEDIUM CVE-2024-6581 6.5

Lollms: SVG upload XSS enables session hijack and RCE

Same package: lollms
MEDIUM CVE-2024-6985 4.4

lollms: path traversal allows arbitrary directory read

Same package: lollms
Back to Threat Feed