{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0562", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2026-01-01T22:48:39.975Z", "datePublished": "2026-03-29T17:49:44.461Z", "dateUpdated": "2026-04-22T14:57:21.275Z"}, "containers": {"cna": {"title": "Insecure Direct Object Reference (IDOR) in parisneo/lollms", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-29T17:49:44.461Z"}, "descriptions": [{"lang": "en", "value": "A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0."}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"version": "unspecified", "lessThan": "2.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf"}, {"url": "https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863"}]}], "source": {"advisory": "6aab01ca-a138-4a1d-bef9-3bce145359bf", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:34:27.114666Z", "id": "CVE-2026-0562", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:34:50.251Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-22T14:57:21.275Z"}, "references": [{"url": "https://aydinnyunus.github.io/2026/04/18/idor-lollms-friend-request-cve-2026-0562/"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://aydinnyunus.github.io/2026/04/18/idor-lollms-friend-request-cve-2026-0562/"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-22T14:57:21.275Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0562", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T15:34:27.114666Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:34:45.678Z"}}], "cna": {"title": "Insecure Direct Object Reference (IDOR) in parisneo/lollms", "source": {"advisory": "6aab01ca-a138-4a1d-bef9-3bce145359bf", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "2.2.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf"}, {"url": "https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c"}], "descriptions": [{"lang": "en", "value": "A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-29T17:49:44.461Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0562", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:57:21.275Z", "dateReserved": "2026-01-01T22:48:39.975Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-03-29T17:49:44.461Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*", "matchCriteriaId": "7118851E-5C3C-499B-BBB5-0327B7FD85AF", "versionEndIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad cr\u00edtica en las versiones de parisneo/lollms hasta la 2.2.0 permite a cualquier usuario autenticado aceptar o rechazar solicitudes de amistad pertenecientes a otros usuarios. La funci\u00f3n 'respond_request()' en 'backend/routers/friends.py' no implementa comprobaciones de autorizaci\u00f3n adecuadas, lo que permite ataques de Referencia Directa a Objeto Insegura (IDOR). Espec\u00edficamente, el endpoint '/api/friends/requests/{friendship_id}' no verifica si el usuario autenticado es parte de la amistad o el destinatario previsto de la solicitud. Esta vulnerabilidad puede conducir a acceso no autorizado, violaciones de la privacidad y posibles ataques de ingenier\u00eda social. El problema ha sido abordado en la versi\u00f3n 2.2.0."}], "id": "CVE-2026-0562", "lastModified": "2026-04-22T16:16:52.583", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-29T18:16:14.460", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://aydinnyunus.github.io/2026/04/18/idor-lollms-friend-request-cve-2026-0562/"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@huntr.dev", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "parisneo/lollms", "source": "cna", "vendor": "parisneo"}, "product": "parisneo/lollms", "vendor": "parisneo"}], "analysis": {"en": {"generated_at": "2026-04-01T05:26:33.271439+00:00", "value": {"mitigation_remediation": ["Verify the current lollms version on all installations.", "If the version is older than 2.2.0, upgrade immediately to 2.2.0 or later.", "Revoke or reset credentials for accounts that no longer need access, as an additional precaution after the patch has been applied."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Modification of Friend Requests"}, "threat_synthesis": {"affected_systems": "Parisneo lollms is affected in all versions up to 2.1.x. The issue was fixed in version 2.2.0 and later. Users running lollms prior to 2.2.0 are vulnerable.", "description_and_impact": "The vulnerability is an Insecure Direct Object Reference that allows any authenticated user to accept or reject friend requests that belong to other users. Because the API endpoint does not verify that the requester is part of the specified friendship, an attacker can manipulate the relationship state of other users, leading to privacy violations and enabling social engineering tactics. This flaw enables unauthorized modification of data for users other than the attacker, which can compromise confidentiality and integrity of user relationships.", "risk_and_exploitability": "The CVSS score is 8.3, indicating high severity, and the EPSS score is less than 1%, suggesting a relatively low likelihood of exploitation but with potential for targeted attacks. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs valid authenticated credentials to abuse the endpoint; no further access is required. The attack vector is inferred to be internal, as it requires authentication, but the lack of proper authorization checks makes the exploitation trivial once credentials are obtained."}}}}, "created": "2026-03-29T20:31:16.522294+00:00", "updated": "2026-04-02T07:55:06.678254+00:00", "vendors": ["parisneo", "parisneo$PRODUCT$parisneo/lollms"]}