Platform
nodejs
Component
lollms
Fixed in
2.2.0
CVE-2026-1114 is a critical vulnerability affecting the lollms application, specifically versions prior to 2.2.0. This vulnerability stems from improper access control related to the management of user sessions, utilizing a weak secret key for signing JSON Web Tokens (JWTs). Successful exploitation allows attackers to gain unauthorized administrative privileges and access sensitive data.
The core of the vulnerability lies in the weak secret key used to sign JWTs. An attacker can perform an offline brute-force attack to recover this key. Once the secret is compromised, they can forge administrative tokens by manipulating the JWT payload and resigning it with the cracked secret. This effectively grants the attacker the ability to impersonate an administrator, bypassing authentication and authorization mechanisms. The potential impact includes unauthorized access to sensitive data, modification of system configurations, and complete control over the lollms application. This vulnerability shares similarities with other JWT-related vulnerabilities where weak key management leads to privilege escalation.
CVE-2026-1114 was publicly disclosed on 2026-04-07. While no public proof-of-concept (PoC) has been released, the vulnerability's nature and severity suggest a high probability of exploitation. The EPSS score is likely to be assessed as medium to high, given the ease of exploitation once the secret key is compromised. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1114 is to immediately upgrade lollms to version 2.2.0 or later, which addresses the weak secret key issue. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to sensitive endpoints and closely monitoring JWT activity for suspicious patterns. Implement a Web Application Firewall (WAF) with rules to detect and block JWT manipulation attempts. Regularly rotate the JWT secret key, even after upgrading, to minimize the impact of a potential compromise.
Update to version 2.2.0 or later to mitigate the vulnerability. This version implements a more secure secret key for JWT signing, preventing key recovery and administrative token forgery.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1114 is a critical vulnerability in lollms versions before 2.2.0 where a weak JWT secret allows attackers to forge admin tokens and gain unauthorized access.
If you are running lollms versions prior to 2.2.0, you are vulnerable to this access control issue. Upgrade immediately.
Upgrade lollms to version 2.2.0 or later to resolve the weak JWT secret vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the official lollms project repository or website for the latest security advisories and updates related to CVE-2026-1114.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.