CVE-2026-1114

Exploit

EPSS 0.54%
Veröffentlicht 07.04.2026 06:19:05
Zuletzt bearbeitet 28.04.2026 00:00:29
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

Improper Access Control via Weak JWT Token in parisneo/lollms

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lollms ≫ Lollms Version2.1.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.54%	0.411

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89

Third Party Advisory

Exploit

https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-1114

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-1114

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-1114

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-1114