This vulnerability exists in Lollms version 2.1.0 due to the use of a weak secret key for signing JSON Web Tokens for session management. Attackers can perform an offline brute-force attack to recover the secret key, then forge administrative JWT tokens to gain full administrative access. This allows unauthorized privilege escalation and full system compromise.
Remediation
Upgrade Lollms to version 2.2.0 or later, which resolves this issue. After upgrading, generate a new strong, cryptographically secure secret key for JWT signing to prevent similar attacks.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.