CVE-2026-0562 - Vulnerability Analysis
HighCVSS: 8.3Last Updated: March 31, 2026
parisneo lollms - Broken Access Control
Overview
parisneo/lollms <= 2.2.0 contains an insecure direct object reference caused by missing authorization checks in respond_request() in backend/routers/friends.py, letting authenticated users accept or reject others' friend requests, exploit requires user authentication.
Severity & Score
Impact
Authenticated users can manipulate friend requests of others, leading to unauthorized access and privacy violations.
Mitigation
Update to version 2.2.0 or later.
References
Social Media Activity(2 posts)
šØ CVE-2026-0562 (HIGH, CVSS 8.3) in parisneo/lollms ā¤2.2.0: Authenticated users can accept/reject others' friend requests via IDOR in /api/friends/requests/{friendship_id}. Upgrade to 2.2.0+ and audit API auth now! https://radar.offseq.com/threat/cve-2026-0562-cwe-863-incorrect-authorization-in-p-77e45474 #OffSeq #CVE20260562 #IDOR #AppSec
View original post
š CVE-2026-0562 - High (8.3) A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not impleme... š https://www.thehackerwire.com/vulnerability/CVE-2026-0562/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-0562
- Severity
- High
- CVSS Score
- 8.3
- Type
- broken_access_control
- Status
- confirmed
- EPSS
- 4.9%
- Social Posts
- 2
CWE
- CWE-863
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L