CVE-2026-0562 in parisneo lollms
要約 (英語)
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.
責任者
@huntr_ai
予約する
2026年01月01日
公開
2026年03月30日
エントリ
| 公開済み | ベース | テンポ | 脆弱性 | CWE | 製品 | 悪用可 | 対策 | EPSS | CTI | CVE |
|---|---|---|---|---|---|---|---|---|---|---|
| 2026年03月30日 | 7.3 | 7.1 | parisneo lollms respond_request 特権昇格 | 863 | 不明 | 未定義 | 公式な修正 | 0.00000 | 1.98+ | CVE-2026-0562 |