Lollms Session Hijacking Flaw: Password Resets Don't Cut It
CVE Notify is flagging a critical session expiration vulnerability in the parisneo/lollms application. Dubbed CVE-2026-1163, this flaw allows attackers to maintain access to an account even after the legitimate user resets their password. The root cause, according to CVE Notify, is the applicationโs failure to invalidate existing session tokens post-password reset. Compounding the issue is a lack of logic to reject requests after inactivity and a default session duration stretching a full 31 days.
This means a compromised session token remains valid for an extended period, giving an attacker a persistent backdoor. Even if the user takes the most basic security step of changing their password, their account remains vulnerable to hijacking until the old session token naturally expires. This is a classic case of insufficient session management, a weakness that can lead to significant data breaches and unauthorized access.
What This Means For You
- Security teams should implement stricter session timeout policies and enforce immediate invalidation of all active sessions upon any credential change, including password resets, to mitigate risks associated with lingering session tokens.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-1163 | Auth Bypass | parisneo/lollms, latest version. Vulnerability: Insufficient session expiration. Allows reuse of old session tokens after password reset due to lack of inactivity checks and long default session duration (31 days). |
๐ Recommended Tools
Found this interesting? Follow us to stay ahead.