parisneo/lollms: Persistent Access After Password Reset

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.1

parisneo/lollms: Persistent Access After Password Reset

CVE-2026-1163

Summary

A vulnerability in parisneo/lollms allows an attacker to keep using an old session after a password reset, potentially giving them continued access to a compromised account. This happens because the application doesn't automatically invalidate old sessions. To protect your users, consider shortening the session duration or implementing logic to reject old sessions after a period of inactivity.

Original title

Original description

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.

nvd CVSS3.0 4.1

Vulnerability type

CWE-613

https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b

Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026