Lollms Session Hijacking Flaw: Password Resets Don't Cut It

/HIGH
SCW vulnerabilitycve
Lollms Session Hijacking Flaw: Password Resets Don't Cut It

CVE Notify is flagging a critical session expiration vulnerability in the parisneo/lollms application. Dubbed CVE-2026-1163, this flaw allows attackers to maintain access to an account even after the legitimate user resets their password. The root cause, according to CVE Notify, is the application’s failure to invalidate existing session tokens post-password reset. Compounding the issue is a lack of logic to reject requests after inactivity and a default session duration stretching a full 31 days.

This means a compromised session token remains valid for an extended period, giving an attacker a persistent backdoor. Even if the user takes the most basic security step of changing their password, their account remains vulnerable to hijacking until the old session token naturally expires. This is a classic case of insufficient session management, a weakness that can lead to significant data breaches and unauthorized access.

What This Means For You

  • Security teams should implement stricter session timeout policies and enforce immediate invalidation of all active sessions upon any credential change, including password resets, to mitigate risks associated with lingering session tokens.

Related ATT&CK Techniques

T1134.004 Token Impersonation/Theft Privilege Escalation T1078.001 Default Accounts Initial Access T1539 Steal Web Session Cookie Credential Access

πŸ›‘οΈ Detection Rules

1 rule Β· 6 SIEM formats

1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.

high T1539 Credential Access

Browser Cookie/Credential Store Access

Sigma YAML β€” free preview

Source: Shimi's Cyber World Β· License & reuse

Indicators of Compromise

IDTypeIndicator
CVE-2026-1163 Auth Bypass parisneo/lollms, latest version. Vulnerability: Insufficient session expiration. Allows reuse of old session tokens after password reset due to lack of inactivity checks and long default session duration (31 days).

By Shimi's Cyber World Editorial

Related coverage

Featured

Daily Security Digest β€” 2026-05-22

13 vulnerability disclosures (5 Critical, 8 High) and 14 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-88privilege-escalationcwe-863criticalremote-code-executioncwe-434
/SCW Daily Digest /CRITICAL

WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content

CVE-2026-9011 β€” The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs

CVE-2026-8692 β€” The Vedrixa Forms – User Registration Form, Signup Form &

CVE-2026-8692 β€” The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma