Plattform
python
Komponente
parisneo/lollms
Behoben in
2.2.0
CVE-2026-0562 describes a critical Insecure Direct Object Reference (IDOR) vulnerability found in parisneo/lollms versions up to 2.2.0. This flaw allows authenticated users to manipulate friend requests belonging to other users, potentially leading to unauthorized access and privacy breaches. The vulnerability resides in the respond_request() function and has been resolved in version 2.2.0.
An attacker exploiting CVE-2026-0562 could gain unauthorized access to another user's friend requests within the parisneo/lollms application. By manipulating the /api/friends/requests/{friendship_id} endpoint, an attacker could accept or reject these requests, potentially leading to privacy violations, account takeover, and other malicious activities. The impact is significant due to the ease of exploitation and the potential for widespread compromise if the application is widely used. This vulnerability highlights the importance of robust authorization checks in API endpoints.
CVE-2026-0562 was published on 2026-03-29. Its CVSS score of 8.3 (HIGH) indicates a significant risk. Public proof-of-concept exploits are likely to emerge given the ease of exploitation. Active campaigns targeting this vulnerability are possible, especially if the application is publicly accessible.
Applications utilizing parisneo/lollms in their backend and exposing friend request functionality are at risk. This includes social networking platforms, collaborative tools, or any application where users manage connections with others. Specifically, deployments using older versions of lollms (0.0.0–2.2.0) are highly vulnerable.
• python / lollms:
# Check for vulnerable versions
import subprocess
result = subprocess.run(['pip', 'show', 'parisneo-lollms'], capture_output=True, text=True)
if 'Version:' in result.stdout:
version = result.stdout.split('Version:')[1].strip()
if version <= '2.2.0':
print('Vulnerable version detected!')• generic web:
curl -I https://your-lollms-instance.com/api/friends/requests/123 | grep -i 'WWW-Authenticate'• generic web:
# Check access logs for suspicious requests to /api/friends/requests/{friendship_id} from different user IDs
grep '/api/friends/requests/[0-9]+' /var/log/nginx/access.log | grep 'user_id=[0-9]+'disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-0562 is to upgrade parisneo/lollms to version 2.2.0 or later. Before upgrading, review the project's release notes for any potential compatibility issues. If an upgrade is not immediately feasible, implement stricter authorization checks within the respond_request() function to ensure that users can only access and modify their own friend requests. Consider using a role-based access control (RBAC) system to further restrict access to sensitive functionality. After upgrading, verify the fix by attempting to access another user's friend requests and confirming that access is denied.
Actualice a la versión 2.2.0 o posterior para mitigar la vulnerabilidad IDOR. Esta versión implementa las verificaciones de autorización necesarias para prevenir el acceso no autorizado a las solicitudes de amistad de otros usuarios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0562 is a HIGH severity Insecure Direct Object Reference (IDOR) vulnerability in parisneo/lollms versions up to 2.2.0, allowing authenticated users to manipulate friend requests of other users.
You are affected if you are using parisneo/lollms versions 0.0.0 through 2.2.0 and have not upgraded to a patched version.
Upgrade to version 2.2.0 or later. As a temporary workaround, implement robust authorization checks on the /api/friends/requests/{friendship_id} endpoint.
There is currently no indication of active exploitation or a public proof-of-concept.
Refer to the parisneo/lollms project's official repository or communication channels for the advisory related to CVE-2026-0562.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.