CVE-2024-6040 MEDIUM

CVE-2024-6040: Missing client_id in parisneo/lollms-webui

Vendor Parisneo
Product parisneo/lollms
Weakness CWE-352 · CSRF
Published August 1, 2024
Last update October 15, 2025
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

Key dates

02Disclosure timeline

August 1, 2024 CVE published
October 15, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-7108 code-projects Invoice System in Laravel cross-site request forgery CVE-2026-1644 WP Frontend Profile <= 1.3.8 - Cross-Site Request Forgery to Unauthorized User Account Approval or Rejection CVE-2025-39593 WordPress Ever Accounting plugin <= 2.1.5 - Cross Site Request Forgery (CSRF) Vulnerability CVE-2025-31677 AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003 CVE-2024-38765 WordPress Oceanic theme <= 1.0.48 - Cross Site Request Forgery (CSRF) vulnerability