Home / Vulnerability Intelligence / CVE-2026-1114

CVE-2026-1114 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 7, 2026

parisneo lollms - Authentication Bypass

Published: April 7, 2026Updated: April 7, 2026Remote Exploitable

Overview

parisneo/lollms 2.1.0 contains a broken authentication caused by weak secret key used for signing JSON Web Tokens, letting attackers perform offline brute-force to forge admin tokens and escalate privileges, exploit requires attacker to obtain JWT tokens.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can forge admin tokens to escalate privileges and access restricted endpoints, compromising the system's security.

Mitigation

Upgrade to version 2.2.0.

References

https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34
https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-1114
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: new

CWE

CWE-284

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H