Platform
python
Component
lollms
Fixed in
11.0.1
CVE-2026-1163 describes an insufficient session expiration vulnerability within the parisneo/lollms application. This flaw allows attackers to maintain persistent access to compromised accounts, even after a legitimate password reset. The vulnerability stems from a lack of session invalidation logic following a password reset and an extended default session duration of 31 days. Affected versions include those prior to 11.0.0.
The primary impact of CVE-2026-1163 is the potential for persistent unauthorized access. An attacker who has gained initial access to an account, even temporarily, can leverage this vulnerability to maintain that access indefinitely, bypassing password reset attempts. This allows them to perform actions on behalf of the compromised user, potentially including data exfiltration, modification of sensitive information, or further lateral movement within the system. The blast radius extends to any data or resources accessible by the compromised user account.
CVE-2026-1163 was publicly disclosed on 2026-04-07. The vulnerability's severity is rated as MEDIUM (4.1 CVSS). No public proof-of-concept (PoC) code has been identified as of this writing. It is not currently listed on the CISA KEV catalog. The ease of exploitation is likely moderate, requiring an attacker to have already compromised an account to leverage the persistent session issue.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1163 is to upgrade lollms to a version greater than 11.0.0, which includes the necessary session expiration fixes. If an immediate upgrade is not feasible, consider implementing temporary workarounds. These may include shortening the default session duration to a more reasonable timeframe (e.g., 15-30 minutes) and implementing stricter session invalidation policies after password resets. Monitor application logs for suspicious activity related to session management. After upgrading, confirm session expiration is functioning correctly by resetting a password and verifying the old session token is invalidated.
Implementar una lógica para invalidar las sesiones después de un restablecimiento de contraseña y reducir la duración predeterminada de la sesión para mitigar el riesgo de acceso persistente a cuentas comprometidas.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1163 is a vulnerability in lollms versions ≤11.0.0 where attackers can maintain access to accounts even after password resets due to insufficient session expiration logic.
You are affected if you are using lollms version 11.0.0 or earlier. The vulnerability allows persistent unauthorized access after a password reset.
Upgrade lollms to a version greater than 11.0.0. As a temporary workaround, shorten the session duration and implement stricter session invalidation policies.
There is no confirmed active exploitation of CVE-2026-1163 as of the current date, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the official parisneo/lollms advisory for details regarding CVE-2026-1163 and the available patch.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.