parisneo/lollms JWT Weak Key Privilege Escalation (CVE-2026-1114)

Vulnerability Report Summary: parisneo/lollms JWT Weak Key Vulnerability 1. Vulnerability Overview Vulnerability Title: Improper Access Control via Weak JWT Token Leads to Admin Takeover and Privilege Escalation in parisneo/lollms CVE ID: CVE-2026-1114 Vulnerability Type: Improper Access Control Severity: Critical (9.6) Description: The application's session management contains authorization bypass and vertical privilege escalation vulnerabilities. During dynamic analysis of the authentication flow, it was discovered that JSON Web Tokens (JWT) are signed using a weak key. This allows attackers to perform offline brute-force attacks against the signature. Once the key is recovered, attackers can forge administrative tokens to gain full system access. 2. Scope of Impact CVSS Score: Critical (9.6) Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Impact: Integrity (High), Availability (High) Affected Versions: 2.2.0 Registry: PyPI Status: Fixed Discoverer: Mahmoud Khalid 3. Remediation The vendor (Saifeddine ALOUI) implemented a Defense in Depth strategy: 1. Secure Installation: Updated installation scripts ( and ) to eliminate the use of placeholder values (e.g., "changeme"). Instead, the system now uses Python's module to generate high-entropy, 32-character URL-safe strings as the default key. 2. Automatic Key Rotation for Existing/Legacy Deployments**: Modified the backend configuration logic ( ). Upon application startup, the system checks if the loaded matches known weak default values (e.g., "changeme", "a_very_secret_key_..."). If a match is found, the application automatically generates a new key in memory and updates the environment variables without requiring manual intervention. 4. Proof of Concept (POC) Example brute-force command mentioned in the reproduction steps:

Goal Reached Thanks to every supporter — we hit 100%!

parisneo/lollms JWT Weak Key Privilege Escalation (CVE-2026-1114)