Home / Vulnerability Intelligence / CVE-2026-1114

CVE-2026-1114 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 7, 2026

parisneo lollms - Authentication Bypass

Published: April 7, 2026Updated: April 7, 2026Remote Exploitable

Overview

parisneo/lollms 2.1.0 contains a broken authentication caused by weak secret key used for signing JSON Web Tokens, letting attackers perform offline brute-force to forge admin tokens and escalate privileges, exploit requires attacker to obtain JWT tokens.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 4.5%(Probability of exploitation in next 30 days)

Impact

Attackers can forge admin tokens to escalate privileges and access restricted endpoints, compromising the system's security.

Mitigation

Upgrade to version 2.2.0.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 7, 2026

🔴 CVE-2026-1114 - Critical (9.8) In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brut... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-1114/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

OffSequence

@offseq

Apr 7, 2026

🔴 CRITICAL: CVE-2026-1114 in parisneo/lollms v2.1.0 — weak JWT secret lets attackers brute-force, forge admin tokens & escalate privileges. Patch to v2.2.0 now! https://radar.offseq.com/threat/cve-2026-1114-cwe-284-improper-access-control-in-p-40f6ba09 #OffSeq #CVE20261114 #AppSec #infosec

View original post

Related Resources

Details

CVE ID: CVE-2026-1114
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: unconfirmed
EPSS: 4.5%
Social Posts: 2

CWE

CWE-284

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.5%Probability of exploitation in the next 30 days