Improper Access Control in LollMS Application by Parisneo
CVE-2026-1114

9.8CRITICAL

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-1114?

The LollMS application developed by Parisneo has a security vulnerability in its session management system. In version 2.1.0, the application employs a weak secret key for signing JSON Web Tokens (JWT). This weakness allows attackers to execute offline brute-force attacks aimed at discovering the secret key. With access to the secret, an attacker can craft forged administrative tokens by altering the JWT payload and signing it with the compromised secret key. This exploitation leads to privilege escalation, where unauthorized individuals can impersonate administrators and access protected endpoints. The issue has been rectified in version 2.2.0.

Affected Version(s)

parisneo/lollms < 2.2.0

References

https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfde...

https://github.com/parisneo/lollms/commit/a3b2b82b84d537a...

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Jan 17, 2026

CVE-2026-1114 Data

JSON