CVE-2026-0562 is a critical authorization vulnerability classified under CWE-863 found in the parisneo/lollms software up to version 2.2.0. The vulnerability arises from the respond_request() function in backend/routers/friends.py, which handles friend request responses. The API endpoint /api/friends/requests/{friendship_id} fails to verify whether the authenticated user is either the sender or recipient of the friend request identified by friendship_id. This lack of proper authorization checks allows any authenticated user to accept or reject friend requests belonging to other users, constituting an Insecure Direct Object Reference (IDOR) flaw. The impact includes unauthorized modification of social relationships, privacy violations, and increased risk of social engineering attacks leveraging manipulated friend connections. The vulnerability requires the attacker to be authenticated but does not require additional user interaction, making exploitation feasible in environments where user credentials are compromised or shared. The CVSS v3.0 score is 8.3 (high), reflecting the network attack vector, low attack complexity, required privileges, no user interaction, and high confidentiality and integrity impacts with low availability impact. The issue was publicly disclosed on March 29, 2026, and has been addressed in version 2.2.0 of the software. No known exploits in the wild have been reported to date.

This vulnerability allows attackers with valid user credentials to manipulate friend requests of other users, potentially altering social graphs without consent. This can lead to unauthorized access to private social information, erosion of trust within user communities, and facilitate social engineering attacks by creating or removing trusted connections. For organizations relying on parisneo/lollms for social or collaborative platforms, this can result in privacy breaches, reputational damage, and user dissatisfaction. The integrity of user relationships is compromised, which may cascade into further exploitation such as phishing or impersonation attacks. Although availability impact is low, the confidentiality and integrity impacts are high, making this a serious threat to user data and platform trustworthiness.

Organizations should immediately upgrade parisneo/lollms to version 2.2.0 or later, where the authorization checks have been properly implemented. Until upgrading is possible, restrict access to the friend request API endpoints through network segmentation and strict access controls. Implement additional monitoring and alerting for unusual friend request acceptance or rejection patterns. Conduct thorough audits of user permissions and session management to detect potential misuse. Educate users about the risks of credential sharing and enforce strong authentication mechanisms to reduce the risk of compromised accounts. Developers should review similar API endpoints for proper authorization enforcement to prevent analogous IDOR vulnerabilities. Employ security testing tools such as automated authorization testing and penetration testing focused on IDOR scenarios.