GHSA-82fw-ch24-j34w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-82fw-ch24-j34w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-82fw-ch24-j34w/GHSA-82fw-ch24-j34w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-82fw-ch24-j34w
- Aliases
- Published
- 2026-02-02T12:31:14Z
- Modified
- 2026-02-03T17:52:12.816997Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
- Summary
- Lollms has an Improper Access Control vulnerability
- Details
-
A vulnerability in the
lollms_generation_events.pycomponent of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. Theadd_eventsfunction registers event handlers such asgenerate_text,cancel_generation,generate_msg, andgenerate_msg_fromwithout implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (lollmsElfServer.busy,lollmsElfServer.cancel_gen) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service. - Database specific
{ "cwe_ids": [ "CWE-284" ], "github_reviewed_at": "2026-02-02T21:56:51Z", "nvd_published_at": "2026-02-02T10:16:06Z", "severity": "HIGH", "github_reviewed": true }- References
Affected packages
PyPI / lollms
Package
- Name
- lollms
- View open source insights on deps.dev
- Purl
- pkg:pypi/lollms
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.1.0