CVE-2026-1117

Name of the Vulnerable Software and Affected Versions parisneo/lollms version 5.9.0

Description A flaw exists in the lollms generation events.py component that permits unauthenticated access to sensitive Socket.IO events. The add events function registers event handlers – generate text, cancel generation, generate msg, and generate msg from – without authentication or authorization. This allows unauthenticated clients to perform resource-intensive operations or alter the system's state, potentially leading to denial of service, state corruption, and race conditions. The use of global flags (lollmsElfServer.busy, lollmsElfServer.cancel gen) for state management in a multi-client environment introduces further risks, enabling one client to impact the server's state and other clients.

Recommendations versions prior to 5.9.0 are not affected. Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the vulnerable component lollms generation events.py until a patch is available.