CVE-2026-0558
Unauthenticated File Upload in parisneo/lollms Causes DoS
Publication date: 2026-03-29
Last updated on: 2026-03-31
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lollms | lollms | to 2.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the parisneo/lollms application up to version 2.2.0, where the `/api/files/extract-text` endpoint does not require authentication. Unlike other file-related endpoints, it lacks the necessary dependency to verify the current active user, allowing unauthenticated users to upload and process files.
Because of this, attackers can exploit the endpoint to upload files without restriction, potentially causing denial of service (DoS) by exhausting system resources, disclosing sensitive information, and violating the application's documented security policies.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthenticated users to upload and process files, which can lead to several security issues:
- Denial of Service (DoS) through resource exhaustion, potentially making the application unavailable.
- Information disclosure by processing files without proper access control.
- Violation of the application's security policies, which can undermine trust and security posture.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring access to the `/api/files/extract-text` endpoint for unauthenticated requests, as this endpoint should require authentication but does not in vulnerable versions.
You can use network traffic inspection tools or web server logs to identify requests to this endpoint without valid authentication tokens or credentials.
Example commands to detect such activity include:
- Using curl to test access without authentication: `curl -v http://<target>/api/files/extract-text`
- Using grep on web server logs to find unauthenticated access attempts: `grep '/api/files/extract-text' /var/log/nginx/access.log | grep -v 'Authorization'`
- Using tcpdump or Wireshark to capture HTTP requests to the endpoint and analyze headers for missing authentication.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing authentication on the `/api/files/extract-text` endpoint to prevent unauthenticated file uploads and processing.
Specifically, update the application to include the dependency on `get_current_active_user` for this endpoint, as done in the security patch.
Additionally, validate uploaded files rigorously by implementing MIME type whitelisting and content verification using libraries such as PIL for images.
Sanitize filenames and use unique prefixes to avoid injection or collision risks.
If updating the application immediately is not possible, consider restricting access to the vulnerable endpoint at the network or firewall level to trusted users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated users to upload and process files, leading to potential information disclosure and violation of the application's documented security policies.
Such unauthorized access and information disclosure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.
Additionally, the risk of denial of service (DoS) through resource exhaustion could affect the availability requirements mandated by these regulations.