Platform
python
Component
parisneo/lollms
Fixed in
2.2.0
CVE-2026-0562 describes a critical Insecure Direct Object Reference (IDOR) vulnerability found in parisneo/lollms versions up to 2.2.0. This flaw allows authenticated users to manipulate friend requests belonging to other users, potentially leading to unauthorized access and privacy breaches. The vulnerability resides in the respond_request() function and has been resolved in version 2.2.0.
The core of the vulnerability lies in the /api/friends/requests/{friendship_id} endpoint within the backend/routers/friends.py file. The application fails to properly verify if the authenticated user is a legitimate participant in the friendship or the intended recipient of the request. An attacker, having authenticated access, can exploit this by crafting requests to accept or reject friend requests on behalf of other users without their consent. This could be used to gain access to private information, manipulate social connections within the application, or potentially escalate privileges depending on the application's broader functionality. The impact is amplified if the application handles sensitive data or controls critical user functions.
CVE-2026-0562 was publicly disclosed on 2026-03-29. There is currently no indication of active exploitation or a public proof-of-concept. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the IDOR nature and the potential for relatively easy exploitation once a user is authenticated, it is recommended to prioritize patching.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0562 is to immediately upgrade to version 2.2.0 or later, which includes the necessary authorization checks. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding a robust authorization layer to the /api/friends/requests/{friendshipid} endpoint. This layer should explicitly verify that the authenticated user is either part of the friendship or the intended recipient of the request before allowing any action. Additionally, implement strict input validation and sanitization to prevent malicious manipulation of the friendshipid parameter. After upgrading, confirm the fix by attempting to accept or reject a friend request belonging to another user while logged in as a different user – the action should be denied.
Update to version 2.2.0 or later to mitigate the IDOR vulnerability. This version implements the necessary authorization checks to prevent unauthorized access to other users' friend requests.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0562 is a HIGH severity Insecure Direct Object Reference (IDOR) vulnerability in parisneo/lollms versions up to 2.2.0, allowing authenticated users to manipulate friend requests of other users.
You are affected if you are using parisneo/lollms versions 0.0.0 through 2.2.0 and have not upgraded to a patched version.
Upgrade to version 2.2.0 or later. As a temporary workaround, implement robust authorization checks on the /api/friends/requests/{friendship_id} endpoint.
There is currently no indication of active exploitation or a public proof-of-concept.
Refer to the parisneo/lollms project's official repository or communication channels for the advisory related to CVE-2026-0562.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.