CVE-2026-1117
February 02, 2026
A vulnerability in the "lollms_generation_events.py" component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The "add_events" function registers event handlers such as "generate_text", "cancel_generation", "generate_msg", and "generate_msg_from" without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags ("lollmsElfServer.busy", "lollmsElfServer.cancel_gen") for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service.
Affected Packages
https://github.com/parisneo/lollms.git (GITHUB):
Affected version(s) >=v1.0.0 <v2.1.0Fix Suggestion:
Update to version v2.1.0lollms (PYTHON):
Affected version(s) >=1.1.2 <2.1.0Fix Suggestion:
Update to version 2.1.0Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
HIGH
Weakness Type (CWE)
Improper Access Control
EPSS
Base Score:
0.03
