CVE-2026-0558

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:10

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en parisneo/lollms, hasta la versión 2.2.0 inclusive, permite a usuarios no autenticados subir y procesar archivos a través del endpoint `/api/files/extract-text`. Este endpoint no aplica autenticación, a diferencia de otros endpoints relacionados con archivos, y carece de la dependencia `Depends(get_current_active_user)`. Este problema puede conducir a denegación de servicio (DoS) mediante el agotamiento de recursos, revelación de información y la violación de las políticas de seguridad documentadas de la aplicación.

31 Mar 2026, 19:45

Type Values Removed Values Added
First Time Lollms
Lollms lollms
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*
References () https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3 - () https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3 - Patch
References () https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113 - () https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113 - Exploit, Issue Tracking, Third Party Advisory
CWE NVD-CWE-noinfo

29 Mar 2026, 18:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-03-29 18:16

Updated : 2026-06-17 10:10


NVD link : CVE-2026-0558

Mitre link : CVE-2026-0558

CVE.ORG link : CVE-2026-0558


JSON object : View

Products Affected

lollms

  • lollms
CWE
CWE-287

Improper Authentication

NVD-CWE-noinfo