CVE-2026-1117: LoLLMs Access Control bypass enables

CISO Take

If your org runs parisneo/lollms exposed to any untrusted network, this is patch-now. Any unauthenticated Socket.IO client can trigger unbounded LLM inference, cancel running generations, and corrupt global server state — zero credentials required. Upgrade to lollms 2.1.0 immediately; if patching is delayed, enforce network-layer access control (firewall or authenticated reverse proxy) before the next business day.

What is the risk?

High risk for internet-exposed or shared-network lollms deployments. CVSS 8.2 with no privileges required and trivially low attack complexity — any Socket.IO client suffices, no AI/ML knowledge needed. EPSS 0.00078 indicates limited active exploitation at time of publication, but the barrier to exploit is near-zero. The global state architecture amplifies blast radius in multi-user environments: a single attacker degrades service for all concurrent users simultaneously. Organizations running lollms as a shared inference frontend in AI labs or developer environments face the highest exposure.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LoLLMs	pip	< 2.1.0	`2.1.0`
81 Pushed 8d ago 33% patched ~1d to patch Full package profile →

Do you use LoLLMs? You're affected.

How severe is it?

CVSS 3.1

8.2 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A High

What should I do?

5 steps

PATCH

Upgrade to lollms >= 2.1.0 which adds authentication checks to Socket.IO event handlers.
ISOLATE (if patching delayed): Restrict lollms port access to trusted IPs via firewall rules or reverse proxy ACL — lollms must never be directly internet-accessible.
PROXY

Place lollms behind an authenticated reverse proxy (nginx + oauth2-proxy or basic auth as minimum).
DETECT

Monitor Socket.IO connections for anomalous patterns — >10 generate events/min from a single IP, or repeated cancel_generation calls with no preceding generate, should trigger alerts.
AUDIT

Review all lollms deployments in your environment for network exposure before closing this finding.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass DoS API Inference Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI System Access Control

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2026-1117?

If your org runs parisneo/lollms exposed to any untrusted network, this is patch-now. Any unauthenticated Socket.IO client can trigger unbounded LLM inference, cancel running generations, and corrupt global server state — zero credentials required. Upgrade to lollms 2.1.0 immediately; if patching is delayed, enforce network-layer access control (firewall or authenticated reverse proxy) before the next business day.

Is CVE-2026-1117 actively exploited?

No confirmed active exploitation of CVE-2026-1117 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-1117?

1. PATCH: Upgrade to lollms >= 2.1.0 which adds authentication checks to Socket.IO event handlers. 2. ISOLATE (if patching delayed): Restrict lollms port access to trusted IPs via firewall rules or reverse proxy ACL — lollms must never be directly internet-accessible. 3. PROXY: Place lollms behind an authenticated reverse proxy (nginx + oauth2-proxy or basic auth as minimum). 4. DETECT: Monitor Socket.IO connections for anomalous patterns — >10 generate events/min from a single IP, or repeated cancel_generation calls with no preceding generate, should trigger alerts. 5. AUDIT: Review all lollms deployments in your environment for network exposure before closing this finding.

What systems are affected by CVE-2026-1117?

This vulnerability affects the following AI/ML architecture patterns: local model serving, self-hosted LLM UI, multi-user inference frontends, AI developer environments.

What is the CVSS score for CVE-2026-1117?

CVE-2026-1117 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.44%.

What is the AI security impact?

Affected AI Architectures

local model servingself-hosted LLM UImulti-user inference frontendsAI developer environments

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service.

Exploitation Scenario

Attacker discovers an internet-exposed lollms instance via Shodan (searching for lollms default port 9600 or custom ports). Using a standard Socket.IO client library (socket.io-client, python-socketio), they connect without authentication. They emit rapid generate_text events with maximally expensive prompts (e.g., long context + high token count completions). Simultaneously, a second attack client emits cancel_generation events to interrupt legitimate users. The global lollmsElfServer.busy flag ensures legitimate generation requests are queued indefinitely while attacker jobs consume all resources. With three concurrent attack clients creating interleaved generate/cancel/generate sequences, they trigger a race condition that leaves the server in an inconsistent state, taking the service offline for all users.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.