CVE-2026-0562

High CVSS: 8.3

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.

Vendor

Lollms

Product

Lollms

CWE

CWE-863

Yayın Tarihi

2026-03-29 18:16:14

Güncelleme

2026-03-31 19:30:04

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-863 Lollms HIGH Lollms 2026

Referanslar

https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf

Benzer Kayıtlar

High

CVE-2026-0560

A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in th…

Critical

CVE-2026-0558

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and proces…

High

CVE-2025-1451

A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads.…

High

CVE-2024-9919

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauth…

High

CVE-2024-9920

In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions,…

Critical

CVE-2024-8898

A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V1…