CVE-2026-1114

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0

Description Session management is subject to improper access control because a weak secret key is used for signing JSON Web Tokens (JWT). This allows an attacker to conduct an offline brute-force attack to recover the secret key and subsequently forge administrative tokens by modifying the JWT payload. This process enables unauthorized users to escalate privileges, impersonate the administrator, and access restricted endpoints.

Recommendations Update to version 2.2.0.