CVE-2026-0562: CWE-863 Incorrect Authorization in parisneo parisneo/lollms
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-0562) in parisneo/lollms versions up to 2.2.0 is caused by missing authorization validation in the respond_request() function handling friend request responses. Specifically, the API endpoint /api/friends/requests/{friendship_id} does not confirm that the authenticated user is part of the friendship or the intended recipient, enabling an attacker with valid credentials to manipulate friend requests of other users. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability categorized under CWE-863 (Incorrect Authorization). The vulnerability has been addressed in version 2.2.0 of the product.
Potential Impact
Exploitation of this vulnerability allows any authenticated user to accept or reject friend requests on behalf of other users, leading to unauthorized access to social interactions and potential privacy violations. This could facilitate social engineering or manipulation of user relationships within the platform. The CVSS score of 8.3 reflects high impact on confidentiality and integrity, with low attack complexity and no user interaction required.
Mitigation Recommendations
A fix for this vulnerability is available in parisneo/lollms version 2.2.0. Users and administrators should upgrade to version 2.2.0 or later to remediate this issue. Since this is not a cloud service, manual patching is required. There are no indications of known exploits in the wild at this time.
CVE-2026-0562: CWE-863 Incorrect Authorization in parisneo parisneo/lollms
Description
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-0562) in parisneo/lollms versions up to 2.2.0 is caused by missing authorization validation in the respond_request() function handling friend request responses. Specifically, the API endpoint /api/friends/requests/{friendship_id} does not confirm that the authenticated user is part of the friendship or the intended recipient, enabling an attacker with valid credentials to manipulate friend requests of other users. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability categorized under CWE-863 (Incorrect Authorization). The vulnerability has been addressed in version 2.2.0 of the product.
Potential Impact
Exploitation of this vulnerability allows any authenticated user to accept or reject friend requests on behalf of other users, leading to unauthorized access to social interactions and potential privacy violations. This could facilitate social engineering or manipulation of user relationships within the platform. The CVSS score of 8.3 reflects high impact on confidentiality and integrity, with low attack complexity and no user interaction required.
Mitigation Recommendations
A fix for this vulnerability is available in parisneo/lollms version 2.2.0. Users and administrators should upgrade to version 2.2.0 or later to remediate this issue. Since this is not a cloud service, manual patching is required. There are no indications of known exploits in the wild at this time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-01-01T22:48:39.975Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 69c97a88e6bfc5ba1dc86195
Added to database: 3/29/2026, 7:16:24 PM
Last enriched: 4/22/2026, 10:41:55 PM
Last updated: 5/14/2026, 3:23:17 AM
Views: 112
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.