CVE-2026-0558

EUVD-2026-17035

29.03.2026, 18:16

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 63%

Affected Products (NVD)

Vendor	Product	Version
lollms	lollms	𝑥 ≤ 2.1.0

𝑥

= Vulnerable software versions

Known Exploits!

https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3

https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113