CVE-2026-0558 identifies an improper authentication vulnerability in the parisneo/lollms software, specifically affecting versions up to and including 2.2.0. The root cause is that the `/api/files/extract-text` REST API endpoint lacks the authentication dependency `Depends(get_current_active_user)` that is present in other file-related endpoints. This omission allows unauthenticated users to upload files and trigger text extraction processes without any access control. The vulnerability falls under CWE-287, which concerns failures in enforcing proper authentication mechanisms. Exploiting this flaw, an attacker can submit large or numerous files to exhaust server resources, leading to denial of service conditions. Additionally, the lack of authentication may allow unauthorized access to sensitive data processed or returned by the endpoint, violating the application's security policies. The CVSS v3.0 base score of 7.5 reflects a high severity, with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. Although no public exploits are known, the vulnerability presents a significant risk due to its ease of exploitation and potential impact on data integrity and service reliability.

The vulnerability can have severe consequences for organizations deploying parisneo/lollms. Unauthenticated access to the file extraction endpoint can lead to denial of service through resource exhaustion, potentially disrupting critical services relying on the application. Information disclosure risks arise if sensitive data is processed or returned without proper access controls, undermining confidentiality and trust. The violation of documented security policies can expose organizations to compliance and regulatory risks. Attackers could manipulate the system to inject malicious files or corrupt data, impacting the integrity of the application and its outputs. Given the network-accessible nature of the vulnerability and no requirement for authentication or user interaction, the attack surface is broad, increasing the likelihood of exploitation. This can affect organizations in sectors relying on parisneo/lollms for file processing, including technology, research, and any domain using this software for document analysis or AI-related tasks.

To mitigate this vulnerability, organizations should immediately restrict access to the `/api/files/extract-text` endpoint by implementing proper authentication and authorization controls, ideally matching the protections applied to other file-related endpoints. Applying the missing `Depends(get_current_active_user)` dependency or equivalent authentication middleware is critical. Network-level controls such as IP whitelisting or VPN access can further limit exposure. Rate limiting and file size restrictions should be enforced to prevent resource exhaustion attacks. Monitoring and logging of file upload and extraction activities can help detect anomalous behavior early. Until an official patch is released, consider deploying a web application firewall (WAF) with custom rules to block unauthenticated requests to this endpoint. Regularly check for vendor updates or security advisories to apply patches promptly once available.