CVE-2024-1646 – CVE-2024-1646 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2024-1646?

CVE-2024-1646 has a CVSS score of 8.2 (HIGH). CVE-2024-1646 is an authentication bypass vulnerability in parisneo/lollms-webui that allows unauthorized access to sensitive endpoints. Attackers can exploit inadequate host parameter checking to execute administrative functions without authentication. This affects all deployments of lollms-webui with the vulnerable code.

📋 TL;DR

CVE-2024-1646 is an authentication bypass vulnerability in parisneo/lollms-webui that allows unauthorized access to sensitive endpoints. Attackers can exploit inadequate host parameter checking to execute administrative functions without authentication. This affects all deployments of lollms-webui with the vulnerable code.

💻 Affected Systems

Products:

parisneo/lollms-webui

Versions: All versions before commit 02e829b5653a1aa5dbbe9413ec84f96caa1274e8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when application is bound to specific interfaces (not 0.0.0.0). Default configurations may be vulnerable depending on deployment settings.

📦 What is this software?

Lollms Webui by Lollms

View all CVEs affecting Lollms Webui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution if vulnerable endpoints allow command injection, plus denial of service through forced restarts and unauthorized control over recording functions.

🟠

Likely Case

Denial of service through forced application restarts, unauthorized disabling/overriding of recordings, and potential configuration changes if other vulnerable endpoints exist.

🟢

If Mitigated

No impact if proper authentication controls are implemented and the vulnerable code is patched or workarounds applied.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending requests to vulnerable endpoints with manipulated host parameters. Public details available in bounty reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 02e829b5653a1aa5dbbe9413ec84f96caa1274e8

Vendor Advisory: https://github.com/parisneo/lollms-webui/commit/02e829b5653a1aa5dbbe9413ec84f96caa1274e8

Restart Required: Yes

Instructions:

1. Update to latest lollms-webui version. 2. Apply commit 02e829b5653a1aa5dbbe9413ec84f96caa1274e8. 3. Restart the application. 4. Verify authentication is properly enforced on all endpoints.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to lollms-webui using firewall rules

iptables -A INPUT -p tcp --dport [lollms-port] -s [trusted-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [lollms-port] -j DROP

Reverse Proxy Authentication

all

Place lollms-webui behind a reverse proxy with proper authentication

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to trusted IPs only
Disable or block access to vulnerable endpoints (/restart_program, /update_software, /check_update, /start_recording, /stop_recording) at network level

🔍 How to Verify

Check if Vulnerable:

Test if unauthenticated requests to vulnerable endpoints succeed when host parameter is manipulated. Check if current version predates commit 02e829b5653a1aa5dbbe9413ec84f96caa1274e8.

Check Version:

Check git commit hash or version in lollms-webui interface/source code

Verify Fix Applied:

Verify authentication is required for all sensitive endpoints. Test that host parameter manipulation no longer bypasses authentication.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /restart_program, /update_software, /check_update, /start_recording, /stop_recording endpoints
Multiple restart requests from single IP
Recording control requests without authentication logs

Network Indicators:

HTTP requests to sensitive endpoints without authentication headers
Requests with manipulated Host headers to lollms-webui

SIEM Query:

source="web_server_logs" AND (uri_path="/restart_program" OR uri_path="/update_software" OR uri_path="/check_update" OR uri_path="/start_recording" OR uri_path="/stop_recording") AND NOT (user!="" OR auth_token!="")

📊 Metadata

CVE ID: CVE-2024-1646

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-288

Published: April 16, 2024

Last Updated: August 15, 2025

🔗 References

https://github.com/parisneo/lollms-webui/commit/02e829b5653a1aa5dbbe9413ec84f96caa1274e8 Patch
https://huntr.com/bounties/2f769c46-aa85-4ab8-8b08-fe791313b7ba Exploit,Third Party Advisory
https://github.com/parisneo/lollms-webui/commit/02e829b5653a1aa5dbbe9413ec84f96caa1274e8 Patch
https://huntr.com/bounties/2f769c46-aa85-4ab8-8b08-fe791313b7ba Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1646, you might also want to check these: