Description
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue.
Published: 2026-04-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows a user to force the acceptance of a friend request on another account by crafting a request. This bypasses normal authorization controls, enabling an attacker to establish a friendship relationship without the target account’s consent. The weakness is classified as improper authorization (CWE‑285).

Affected Systems

The flaw exists in the friends feature of DNN (formerly DotNetNuke) from version 6.0.0 up to, but not including, version 10.2.2 of Dnn.Platform. Versions prior to 10.2.2 are vulnerable; version 10.2.2 includes the fix.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting a low to moderate likelihood of exploitation. Attackers would need knowledge of the target user’s account context and the ability to send a forged request; the attack vector is likely web-based, accessed through the application’s friends feature, based on the description. With the flaw, an attacker can force the acceptance of a friend request on another account, enabling an unauthorized friendship relationship.

Generated by OpenCVE AI on April 18, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Dnn.Platform to version 10.2.2 or later to apply the vendor patch that closes the authorization bypass.
  • If an upgrade is not immediately possible, temporarily disable the friends feature or block access to the friend request endpoint to prevent unauthorized friend acceptance.
  • Review and tighten access controls for the friend request functionality to ensure that only the request initiator can accept or force acceptance of requests.

Generated by OpenCVE AI on April 18, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fpj4-9qhx-5m6m DNN: Force Friend Request Acceptance
History

Fri, 24 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Dnnsoftware dotnetnuke
CPEs cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*
Vendors & Products Dnnsoftware dotnetnuke

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Dnnsoftware
Dnnsoftware dnn Platform
Vendors & Products Dnnsoftware
Dnnsoftware dnn Platform

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue.
Title DNN has Force Friend Request Acceptance
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Dnnsoftware Dnn Platform Dotnetnuke
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T13:36:06.644Z

Reserved: 2026-04-10T21:41:54.504Z

Link: CVE-2026-40305

cve-icon Vulnrichment

Updated: 2026-04-20T13:32:43.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T22:16:32.370

Modified: 2026-04-24T14:40:43.280

Link: CVE-2026-40305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:15:05Z

Weaknesses