CVE-2026-0562

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions up to 2.2.0

Description A security issue exists in parisneo/lollms that allows any authenticated user to accept or reject friend requests belonging to other users. The respond request() function within backend/routers/friends.py lacks proper authorization checks, leading to an Insecure Direct Object Reference (IDOR) condition. The /api/friends/requests/{friendship id} API endpoint does not confirm if the authenticated user is associated with the friendship or the intended recipient of the request. This can result in unauthorized access and potential privacy breaches.

Recommendations Update to version 2.2.0 or later.