CVE-2026-0562
IDOR Vulnerability in parisneo/lollms Allows Unauthorized Friend Request Control
Publication date: 2026-03-29
Last updated on: 2026-04-22
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lollms | lollms | to 2.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical security flaw in parisneo/lollms versions up to 2.2.0 that allows any authenticated user to accept or reject friend requests that belong to other users.
The issue arises because the function responsible for responding to friend requests (`respond_request()` in `backend/routers/friends.py`) does not properly check if the user making the request is authorized to do so. Specifically, the API endpoint `/api/friends/requests/{friendship_id}` fails to verify whether the authenticated user is part of the friendship or the intended recipient of the friend request.
This lack of authorization check enables an Insecure Direct Object Reference (IDOR) attack, where users can manipulate the system to act on friend requests that are not theirs.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and privacy violations by allowing users to manipulate friend requests of others without permission.
It can also facilitate social engineering attacks by enabling attackers to control social connections or interactions between users.
Overall, it compromises the security and integrity of the friend request handling mechanism, potentially exposing users to unwanted or malicious interactions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether an authenticated user can respond to friend requests that do not belong to them via the `/api/friends/requests/{friendship_id}` endpoint.
A practical approach is to attempt to accept or reject friend requests using different user accounts and verify if unauthorized actions are allowed.
For example, you can use curl commands to simulate these requests:
- curl -X POST -H "Authorization: Bearer <token_of_user_A>" https://<your_lollms_instance>/api/friends/requests/<friendship_id_of_user_B> -d '{"action": "accept"}'
- If the request succeeds for a friendship_id not involving user A, the system is vulnerable.
Monitoring logs for unauthorized friend request responses or unexpected HTTP 200 responses to such requests can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade parisneo/lollms to version 2.2.0 or later, where the vulnerability has been fixed.
This update includes authorization checks in the `respond_request` function that ensure only users involved in a friendship can respond to friend requests, and prevent users from responding to their own requests.
If upgrading immediately is not possible, restrict access to the `/api/friends/requests/{friendship_id}` endpoint to trusted users only and monitor for suspicious activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized users to accept or reject friend requests on behalf of other users, leading to unauthorized access and privacy violations.
Such unauthorized access and privacy breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal data and user consent.
By enabling Insecure Direct Object Reference (IDOR) attacks, the vulnerability undermines the confidentiality and integrity of user interactions, potentially exposing personal information without proper authorization.