CVE-2026-0562

HIGH 8.3

Insecure Direct Object Reference (IDOR) in parisneo/lollms

CVSS Score

8.3

EPSS Score

0.0%

EPSS Percentile

15th

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.

CWE	CWE-863
Vendor	parisneo
Product	parisneo/lollms
Published	Mar 29, 2026
Last Updated	Mar 30, 2026

Stay Ahead of the Next One

Get instant alerts for parisneo parisneo/lollms

Be the first to know when new high vulnerabilities affecting parisneo parisneo/lollms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Affected Versions

parisneo / parisneo/lollms

unspecified < 2.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

huntr.com: https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf github.com: https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c