EUVD-2026-19574
GHSA-9296-v3fr-j92j
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.
Analysis
JWT secret key brute-forcing in Parisneo Lollms 2.1.0 allows unauthenticated remote attackers to forge administrative tokens and achieve full system compromise. The application uses a weak secret for signing JSON Web Tokens, enabling offline attacks to recover credentials and escalate privileges to administrator level. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Immediately inventory all Lollms instances and verify version numbers; isolate Lollms 2.1.0 deployments from production networks if possible. Within 7 days: Upgrade all affected instances to Lollms 2.2.0 (patched version); if upgrade is infeasible, implement network segmentation to restrict administrative token generation endpoints to trusted networks only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today