CVE-2026-0558
Published: 29 March 2026
Summary
CVE-2026-0558 is a critical-severity Improper Authentication (CWE-287) vulnerability in Lollms Lollms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification and restriction of actions performable without authentication, preventing unauthenticated access to the /api/files/extract-text endpoint.
Mandates enforcement of approved authorizations for access to system resources, ensuring the endpoint requires authentication like other file-related endpoints.
Enforces least privilege by authorizing access to file upload and processing only to explicitly approved users, mitigating unauthorized exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated file upload and processing via public-facing API endpoint directly enables public-facing application exploitation (T1190), ingress tool transfer (T1105), and application-level DoS via resource exhaustion (T1499.004).
NVD Description
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can…
more
lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.
Deeper analysisAI
CVE-2026-0558 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the parisneo/lollms software, affecting versions up to and including 2.2.0. The issue stems from the `/api/files/extract-text` endpoint, which permits unauthenticated users to upload and process files without enforcing authentication, unlike other file-related endpoints. It specifically lacks the `Depends(get_current_active_user)` dependency, enabling improper authentication (CWE-287).
Any unauthenticated attacker with network access can exploit this endpoint to upload and process arbitrary files. Successful exploitation can result in denial of service through resource exhaustion, information disclosure by extracting text from sensitive files, and violation of the application's documented security policies, potentially compromising confidentiality, integrity, and availability.
Mitigation details are provided in the project's GitHub commit at https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3 and the Huntr bounty report at https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113. Security practitioners should review these resources for patch implementation and upgrade to a fixed version beyond 2.2.0.
Details
- CWE(s)