CVE-2026-0562
Published: 29 March 2026
Summary
CVE-2026-0562 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Lollms Lollms. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly mitigating the missing authorization checks in the respond_request() function that enable IDOR attacks on friendship requests.
Requires explicit access control decisions for specific resources like friendship IDs based on authenticated user identity, preventing unauthorized manipulation of other users' requests.
Implements a reference monitor mechanism to enforce access control policies at the application level, addressing the failure to validate user ownership of referenced friendship objects.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR authz bypass in network-accessible web endpoint directly enables remote exploitation of a public-facing application by low-privileged valid accounts.
NVD Description
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference…
more
(IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.
Deeper analysisAI
CVE-2026-0562 is a critical vulnerability (CVSS 8.3, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) affecting parisneo/lollms versions up to 2.2.0. It arises from an Insecure Direct Object Reference (IDOR) in the `respond_request()` function within `backend/routers/friends.py`, where the `/api/friends/requests/{friendship_id}` endpoint fails to verify if the authenticated user is part of the friendship or the intended recipient. This CWE-863 flaw enables any authenticated user to accept or reject friend requests belonging to other users.
Any low-privileged authenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation allows unauthorized manipulation of other users' friend requests, resulting in high confidentiality and integrity impacts—such as privacy violations through unwanted friend additions or rejections—along with low availability impact and potential facilitation of social engineering attacks.
The issue has been addressed in lollms version 2.2.0. Mitigation details are documented in the fixing GitHub commit at https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c, a Huntr bounty report at https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf, and a technical analysis at https://aydinnyunus.github.io/2026/04/18/idor-lollms-friend-request-cve-2026-0562/. Practitioners should upgrade to version 2.2.0 or later and review authorization checks in similar endpoints.
Details
- CWE(s)