Platform
python
Component
lollms
Opgelost in
2.2.0
CVE-2026-0558 is an Unrestricted File Upload vulnerability discovered in lollms, a Python-based project, impacting versions up to 2.2.0. This vulnerability allows unauthenticated users to upload and process arbitrary files via the /api/files/extract-text endpoint, bypassing authentication checks. Successful exploitation can lead to denial of service, information disclosure, and potential security policy breaches. A fix is available in version 2.2.0.
The primary impact of CVE-2026-0558 is the ability for an unauthenticated attacker to upload and process files without proper authorization. This opens the door to several malicious scenarios. An attacker could upload large files to exhaust server resources, leading to a denial of service (DoS) condition, rendering the lollms application unavailable to legitimate users. Furthermore, the ability to process arbitrary files could allow an attacker to disclose sensitive information contained within those files. The lack of authentication on this endpoint represents a significant security policy violation, as it circumvents intended access controls.
CVE-2026-0558 was publicly disclosed on 2026-03-29. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. The vulnerability's simplicity and lack of authentication make it a potential target for opportunistic attackers.
Organizations deploying lollms in production environments, particularly those without robust network segmentation or intrusion detection systems, are at significant risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as an attacker could potentially compromise the entire environment through this vulnerability.
• python / server:
import requests
url = 'http://your-lollms-server/api/files/extract-text'
files = {'file': open('test.txt', 'rb')}
response = requests.post(url, files=files)
if response.status_code == 200:
print('Potential vulnerability: File upload successful without authentication.')
else:
print('File upload failed.')• linux / server:
journalctl -u lollms -f | grep "/api/files/extract-text"• generic web:
curl -I http://your-lollms-server/api/files/extract-textCheck response headers for lack of authentication requirements.
disclosure
Exploit Status
EPSS
0.31% (54% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2026-0558 is to immediately upgrade lollms to version 2.2.0 or later, which includes the necessary authentication checks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /api/files/extract-text endpoint from unauthenticated users. Additionally, review and strengthen the application's overall authentication and authorization mechanisms. Monitor server logs for suspicious file upload activity, particularly requests originating from unknown or unauthorized sources.
Werk de lollms bibliotheek bij naar een versie later dan 2.2.0. Dit zal de kwetsbaarheid van ongemachtigde bestandsupload in het `/api/files/extract-text` endpoint verhelpen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-0558 is a vulnerability in lollms versions up to 2.2.0 that allows unauthenticated users to upload and process files, potentially leading to DoS and information disclosure.
You are affected if you are running lollms version 2.2.0 or earlier. Verify your version and upgrade immediately.
Upgrade lollms to version 2.2.0 or later. As a temporary workaround, implement a WAF rule to block unauthenticated access to the /api/files/extract-text endpoint.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the lollms project's official repository and security announcements for the latest information: [https://github.com/parisneo/lollms](https://github.com/parisneo/lollms)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.