CVE-2026-1163
Received Received - Intake
Persistent Session Hijacking in parisneo/lollms Due to Insufficient Expiration

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: huntr.dev

Description
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1163
EUVD
EUVD-2026-20030
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parisneo lollms *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an insufficient session expiration issue in the latest version of parisneo/lollms. The application does not invalidate active sessions after a user resets their password, which means an attacker can continue to use an old session token even after the password change.

The problem occurs because there is no logic to reject requests after a period of inactivity, and the default session duration is excessively long at 31 days.

As a result, an attacker who has compromised an account can maintain persistent access despite the victim resetting their password.

Impact Analysis

This vulnerability can allow an attacker to maintain unauthorized access to a compromised account even after the legitimate user resets their password.

Because sessions are not invalidated promptly, the attacker can continue to perform actions under the victim's identity, potentially leading to data theft, unauthorized transactions, or other malicious activities.

The long default session duration of 31 days increases the window of opportunity for attackers to exploit this issue.

Compliance Impact

This vulnerability allows an attacker to maintain persistent access to a compromised account even after a password reset, due to insufficient session expiration controls.

Such persistent unauthorized access could lead to violations of data protection requirements in standards like GDPR and HIPAA, which mandate strict controls over user authentication and session management to protect personal and sensitive data.

Failure to invalidate sessions after password resets and the long default session duration increase the risk of unauthorized data access, potentially impacting compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart