Description
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.
Published: 2026-03-29
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of Friend Requests
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference that allows any authenticated user to accept or reject friend requests that belong to other users. Because the API endpoint does not verify that the requester is part of the specified friendship, an attacker can manipulate the relationship state of other users, leading to privacy violations and enabling social engineering tactics. This flaw enables unauthorized modification of data for users other than the attacker, which can compromise confidentiality and integrity of user relationships.

Affected Systems

Parisneo lollms is affected in all versions up to 2.1.x. The issue was fixed in version 2.2.0 and later. Users running lollms prior to 2.2.0 are vulnerable.

Risk and Exploitability

The CVSS score is 8.3, indicating high severity, and the EPSS score is less than 1%, suggesting a relatively low likelihood of exploitation but with potential for targeted attacks. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs valid authenticated credentials to abuse the endpoint; no further access is required. The attack vector is inferred to be internal, as it requires authentication, but the lack of proper authorization checks makes the exploitation trivial once credentials are obtained.

Generated by OpenCVE AI on April 1, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current lollms version on all installations.
  • If the version is older than 2.2.0, upgrade immediately to 2.2.0 or later.
  • Revoke or reset credentials for accounts that no longer need access, as an additional precaution after the patch has been applied.

Generated by OpenCVE AI on April 1, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Lollms
Lollms lollms
CPEs cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*
Vendors & Products Lollms
Lollms lollms
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Parisneo
Parisneo parisneo/lollms
Vendors & Products Parisneo
Parisneo parisneo/lollms

Sun, 29 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.
Title Insecure Direct Object Reference (IDOR) in parisneo/lollms
Weaknesses CWE-863
References
Metrics cvssV3_0

{'score': 8.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Lollms Lollms
Parisneo Parisneo/lollms
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-04-22T14:57:21.275Z

Reserved: 2026-01-01T22:48:39.975Z

Link: CVE-2026-0562

cve-icon Vulnrichment

Updated: 2026-04-22T14:57:21.275Z

cve-icon NVD

Status : Modified

Published: 2026-03-29T18:16:14.460

Modified: 2026-04-22T16:16:52.583

Link: CVE-2026-0562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:06Z

Weaknesses