CVE-2026-0562

Description

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.

How to fix CVE-2026-0562

To remediate CVE-2026-0562, upgrade the affected package to a fixed version below.

• —upgrade to 2.1.1 or later

Is CVE-2026-0562 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-0562.

Affected packages (1)

• from 0, < 2.1.1

CVSS scores

References (3)

• PATCHgithub.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c
• REPORThuntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf
• WEBaydinnyunus.github.io/2026/04/18/idor-lollms-friend-request-cve-2026-0562/