CVE-2026-1114 in parisneo/lollms 2.1.0 allows unauthenticated attackers to forge administrator-level JWT tokens by recovering a cryptographically weak signing key offline — no active session or credentials required. The fully remediated version is 2.2.0; any internet-accessible lollms 2.1.0 instance should be isolated, upgraded immediately, and have its JWT signing secret rotated. While EPSS indicates low observed exploitation activity, the attack technique is well-documented and requires no authentication, making exposure window management critical.