Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.
AnalysisAI
Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been confirmed.
Technical ContextAI
The vulnerability stems from improper session management in the parisneo/lollms application, classified under CWE-613 (Insufficient Session Expiration). The root cause is twofold: the application lacks logic to invalidate existing session tokens when a user resets their password, and it maintains an excessively permissive default session timeout of 31 days. Session tokens are typically used for stateless authentication in web applications; without forced invalidation upon credential changes, an attacker who has previously obtained a valid session token can continue making authenticated requests indefinitely. The absence of inactivity timeout mechanisms further compounds the issue, allowing tokens to persist regardless of actual usage patterns.
RemediationAI
The primary mitigation requires implementing mandatory session invalidation upon password reset, immediately terminating all active session tokens associated with the user account. Additionally, implement an inactivity timeout mechanism significantly shorter than the current 31-day default; industry best practice typically recommends 15-30 minutes for interactive sessions. Configure session tokens to include password change timestamps, rejecting any tokens issued prior to the most recent credential change. Apply security patches when released by parisneo; for interim protection, administrators should monitor session logs for anomalous token usage patterns and consider implementing IP-based session binding to limit token reuse across different network locations. Consult the vendor advisory at https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b for specific patch availability and additional mitigation guidance.
More in Parisneo Lollms
View allWeak JWT secret key in LoLLMs 2.1.0 enables offline brute-force recovery, allowing remote unauthenticated attackers to f
Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malic
Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitr
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20030
GHSA-8jg2-726g-xh43