CVE-2026-1163: CWE-613 Insufficient Session Expiration in parisneo parisneo/lollms
CVE-2026-1163 is a medium severity vulnerability in parisneo/lollms involving insufficient session expiration. The application does not invalidate active sessions after a password reset, allowing continued use of old session tokens. This is due to missing logic to reject requests after inactivity and a long default session duration of 31 days. An attacker with access to a session token can maintain persistent access to a compromised account even after the password is changed.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-1163) in parisneo/lollms arises from insufficient session expiration controls (CWE-613). The application fails to invalidate existing session tokens upon password reset, combined with a lack of inactivity timeout and a default session duration of 31 days. This allows an attacker to reuse an old session token to maintain access to an account despite password changes. The CVSS 3.0 score is 4.1 (medium), reflecting network attack vector, high attack complexity, high privileges required, no user interaction, and low impact on confidentiality, integrity, and availability. No patch or official remediation is currently documented.
Potential Impact
The vulnerability allows an attacker who has obtained a valid session token to maintain persistent access to a compromised account even after the legitimate user resets their password. This undermines the effectiveness of password resets as a security measure to terminate unauthorized access. The impact is limited to low confidentiality, integrity, and availability loss as per the CVSS vector, but it poses a risk of prolonged unauthorized account access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to implement manual session invalidation upon password reset if possible, reduce session duration, and monitor for suspicious session reuse. Avoid relying solely on password resets to terminate active sessions.
CVE-2026-1163: CWE-613 Insufficient Session Expiration in parisneo parisneo/lollms
Description
CVE-2026-1163 is a medium severity vulnerability in parisneo/lollms involving insufficient session expiration. The application does not invalidate active sessions after a password reset, allowing continued use of old session tokens. This is due to missing logic to reject requests after inactivity and a long default session duration of 31 days. An attacker with access to a session token can maintain persistent access to a compromised account even after the password is changed.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-1163) in parisneo/lollms arises from insufficient session expiration controls (CWE-613). The application fails to invalidate existing session tokens upon password reset, combined with a lack of inactivity timeout and a default session duration of 31 days. This allows an attacker to reuse an old session token to maintain access to an account despite password changes. The CVSS 3.0 score is 4.1 (medium), reflecting network attack vector, high attack complexity, high privileges required, no user interaction, and low impact on confidentiality, integrity, and availability. No patch or official remediation is currently documented.
Potential Impact
The vulnerability allows an attacker who has obtained a valid session token to maintain persistent access to a compromised account even after the legitimate user resets their password. This undermines the effectiveness of password resets as a security measure to terminate unauthorized access. The impact is limited to low confidentiality, integrity, and availability loss as per the CVSS vector, but it poses a risk of prolonged unauthorized account access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to implement manual session invalidation upon password reset if possible, reduce session duration, and monitor for suspicious session reuse. Avoid relying solely on password resets to terminate active sessions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-01-18T21:30:57.148Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d5be0543e2781badde667d
Added to database: 4/8/2026, 2:31:33 AM
Last enriched: 4/15/2026, 3:52:09 PM
Last updated: 5/23/2026, 10:58:32 PM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.