Skip to main content

Parisneo Lollms CVE-2026-1163

| EUVDEUVD-2026-20030 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-04-08 @huntr_ai GHSA-8jg2-726g-xh43
4.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
4.1 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 02:30 euvd
EUVD-2026-20030
Analysis Generated
Apr 08, 2026 - 02:30 vuln.today
CVE Published
Apr 08, 2026 - 02:20 nvd
MEDIUM 4.1

DescriptionCVE.org

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.

AnalysisAI

Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

The vulnerability stems from improper session management in the parisneo/lollms application, classified under CWE-613 (Insufficient Session Expiration). The root cause is twofold: the application lacks logic to invalidate existing session tokens when a user resets their password, and it maintains an excessively permissive default session timeout of 31 days. Session tokens are typically used for stateless authentication in web applications; without forced invalidation upon credential changes, an attacker who has previously obtained a valid session token can continue making authenticated requests indefinitely. The absence of inactivity timeout mechanisms further compounds the issue, allowing tokens to persist regardless of actual usage patterns.

RemediationAI

The primary mitigation requires implementing mandatory session invalidation upon password reset, immediately terminating all active session tokens associated with the user account. Additionally, implement an inactivity timeout mechanism significantly shorter than the current 31-day default; industry best practice typically recommends 15-30 minutes for interactive sessions. Configure session tokens to include password change timestamps, rejecting any tokens issued prior to the most recent credential change. Apply security patches when released by parisneo; for interim protection, administrators should monitor session logs for anomalous token usage patterns and consider implementing IP-based session binding to limit token reuse across different network locations. Consult the vendor advisory at https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b for specific patch availability and additional mitigation guidance.

Share

CVE-2026-1163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy