Plataforma
python
Componente
lollms
Corrigido em
11.0.1
CVE-2026-1163 describes an insufficient session expiration vulnerability within the parisneo/lollms application. This flaw allows attackers to maintain persistent access to compromised accounts, even after a legitimate password reset. The vulnerability stems from a lack of session invalidation logic following a password reset and an extended default session duration of 31 days. Affected versions include those prior to 11.0.0.
The primary impact of CVE-2026-1163 is the potential for persistent unauthorized access. An attacker who has gained initial access to an account, even temporarily, can leverage this vulnerability to maintain that access indefinitely, bypassing password reset attempts. This allows them to perform actions on behalf of the compromised user, potentially including data exfiltration, modification of sensitive information, or further lateral movement within the system. The blast radius extends to any data or resources accessible by the compromised user account.
CVE-2026-1163 was publicly disclosed on 2026-04-07. The vulnerability's severity is rated as MEDIUM (4.1 CVSS). No public proof-of-concept (PoC) code has been identified as of this writing. It is not currently listed on the CISA KEV catalog. The ease of exploitation is likely moderate, requiring an attacker to have already compromised an account to leverage the persistent session issue.
Organizations deploying lollms in production environments, particularly those with sensitive data or critical infrastructure managed through the application, are at risk. Shared hosting environments where multiple users share the same lollms instance are also particularly vulnerable, as a compromise of one account could potentially lead to persistent access for the attacker.
• python / server:
import requests
import time
# Replace with your lollms instance URL
base_url = "http://your-lollms-instance"
# Get a session token (assuming you have a valid login)
# This is a placeholder - replace with your actual authentication flow
session_token = "your_session_token"
# Reset the password (assuming you have the necessary credentials)
password_reset_url = f"{base_url}/password_reset"
password_reset_data = {"email": "[email protected]"}
response = requests.post(password_reset_url, json=password_reset_data)
# Wait a few seconds for the password reset to complete
time.sleep(5)
# Attempt to use the old session token after the password reset
headers = {"Authorization": f"Bearer {session_token}"}
response = requests.get(f"{base_url}/protected_resource", headers=headers)
if response.status_code == 200:
print("Old session token still valid after password reset - Vulnerability Detected!")
else:
print("Old session token invalidated - No Vulnerability Detected.")disclosure
Status do Exploit
EPSS
0.04% (percentil 14%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-1163 is to upgrade lollms to a version greater than 11.0.0, which includes the necessary session expiration fixes. If an immediate upgrade is not feasible, consider implementing temporary workarounds. These may include shortening the default session duration to a more reasonable timeframe (e.g., 15-30 minutes) and implementing stricter session invalidation policies after password resets. Monitor application logs for suspicious activity related to session management. After upgrading, confirm session expiration is functioning correctly by resetting a password and verifying the old session token is invalidated.
Implementar una lógica para invalidar las sesiones después de un restablecimiento de contraseña y reducir la duración predeterminada de la sesión para mitigar el riesgo de acceso persistente a cuentas comprometidas.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-1163 is a vulnerability in lollms versions ≤11.0.0 where attackers can maintain access to accounts even after password resets due to insufficient session expiration logic.
You are affected if you are using lollms version 11.0.0 or earlier. The vulnerability allows persistent unauthorized access after a password reset.
Upgrade lollms to a version greater than 11.0.0. As a temporary workaround, shorten the session duration and implement stricter session invalidation policies.
There is no confirmed active exploitation of CVE-2026-1163 as of the current date, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the official parisneo/lollms advisory for details regarding CVE-2026-1163 and the available patch.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.