CRITICAL🇵🇱 Wersja polska

CVE-2026-0558

CVSS 9.8v3.1pub. 2026-03-29upd. 2026-03-31

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.

🤖 AI Analysis
How it works

The `/api/files/extract-text` endpoint does not enforce authentication, unlike other file handling endpoints in the same application. It lacks the `Depends(get_current_active_user)` dependency, which is used in other endpoints and is responsible for user identity verification. Any person with network access to the application can therefore send requests to this endpoint and initiate file processing without any login.

Impact

An attacker can cause server resource exhaustion (DoS through resource exhaustion), information disclosure, and violation of documented application security policies. Due to the lack of authentication requirement, any person with network access to the service can conduct the attack.

Mitigation & patch

Update the application to the version that includes the patch described in commit a6625dc83786ff21d109b0d545ca61b770607ef3 in the GitHub repository. The patch consists of adding the required authentication dependency to the `/api/files/extract-text` endpoint. If an immediate update is not possible, it is recommended to restrict network access to the application (e.g., through a firewall or authenticating reverse proxy).

Who is affected

parisneo/Lollms in versions up to 2.2.0 inclusive

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lollms

    APP
    Lollms
    ≤ 2.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoSAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-1115CRITICAL9.6PL ✓ten sam produkt

Stored XSS w funkcji create_post platformy lollms — przejęcie konta

CVE-2026-1114CRITICAL9.8PL ✓ten sam produkt

Słaby klucz JWT umożliwia privilege escalation w parisneo/lollms

CVE-2024-3429CRITICAL9.8PL ✓ten sam produkt

Path Traversal w lollms — nieautoryzowany odczyt plików na Windows

CVE-2026-0562HIGH8.3ten sam produkt

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to acc...

CVE-2026-0560HIGH7.5ten sam produkt

A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specific...