CVE-2026-0562

Source
https://cve.org/CVERecord?id=CVE-2026-0562
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0562.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-0562
Aliases
Published
2026-03-29T17:49:44.461Z
Modified
2026-07-08T08:12:40.286272869Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
Insecure Direct Object Reference (IDOR) in parisneo/lollms
Details

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respond_request() function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the /api/friends/requests/{friendship_id} endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/0xxx/CVE-2026-0562.json",
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "@huntr_ai",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "2.2.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/parisneo/lollms

Affected ranges

Type
GIT
Repo
https://github.com/parisneo/lollms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.1.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v2.*
v2.0.0
v2.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0562.json"