CVE-2026-0562Incorrect Authorization in Lollms

CWE-863Incorrect Authorization2 documents2 sources
Severity
8.3HIGHNVD
EPSS
0.0%
top 85.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo LollmsLollms
Timeline
PublishedMar 29

Description

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipie

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LExploitability: 2.8 | Impact: 5.5

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollmsunspecified2.2.0
NVDlollms/lollms2.1.0

Patches

Patch: github.com

🔴Vulnerability Details

1
GHSA
GHSA-2j48-mfm5-x2hv: A critical security vulnerability in parisneo/lollms versions up to 22026-03-29