Is Race Condition affected by CVE-2026-1117?

A critical vulnerability in the LOLLMS application (v5.9.0) exposes sensitive Socket.IO events to unauthenticated users, potentially allowing attackers to intercept, manipulate, or exfiltrate real-time communications without credentials.

CVE-2026-1117

HIGH

2026-02-02 [email protected]

GHSA-82fw-ch24-j34w

8.2

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:01 vuln.today

CVE Published

Feb 02, 2026 - 10:16 nvd

HIGH 8.2

Description

A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service.

Analysis

Unauthenticated clients can invoke resource-intensive Socket.IO events in lollms 5.9.0 due to missing authentication checks in the event handler registration, allowing attackers to trigger denial of service and state corruption. The vulnerability is compounded by improper use of global state flags in multi-client environments, enabling attackers to interfere with legitimate client operations and manipulate server state through race conditions. …

Remediation

Within 24 hours: Identify all systems running LOLLMS 5.9.0 and isolate them from production networks or restrict access via firewall rules. Within 7 days: Implement network segmentation to limit Socket.IO event exposure and deploy WAF rules to block unauthorized event handlers; begin upgrade planning to a patched version. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +41

POC: 0

CVE-2026-1117 vulnerability details – vuln.today

Back

CVE-2026-1117

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-1117

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code