How to fix EUVD-2026-17039?

Within 24 hours: Inventory all LoLLMS deployments and identify current versions in use; disable or restrict the `/api/friends/requests/` endpoint if version is below 2.2.0. Within 7 days: Upgrade all LoLLMS instances to version 2.2.0 or later (verified against commit c462977). Within 30 days: Conduct audit of friendship graphs for unauthorized connections created during the vulnerability window; implement API request logging and monitoring for suspicious friendship manipulation patterns; review user access logs for lateral movement attempts leveraging fraudulent trust relationships.

EUVD-2026-17039

| CVE-2026-0562 HIGH

2026-03-29 [email protected]

8.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 29, 2026 - 18:22 euvd

EUVD-2026-17039

Analysis Generated

Mar 29, 2026 - 18:22 vuln.today

CVE Published

Mar 29, 2026 - 18:16 nvd

HIGH 8.3

Description

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.

Analysis

Authenticated users in parisneo/lollms (versions before 2.2.0) can hijack friend requests intended for other users through an Insecure Direct Object Reference (IDOR) flaw in the `/api/friends/requests/{friendship_id}` endpoint. The vulnerability enables any logged-in user to accept or reject friendship requests by manipulating the `friendship_id` parameter without authorization checks, leading to unauthorized social graph manipulation and potential account compromise via social engineering. …

Remediation

Within 24 hours: Inventory all LoLLMS deployments and identify current versions in use; disable or restrict the `/api/friends/requests/` endpoint if version is below 2.2.0. Within 7 days: Upgrade all LoLLMS instances to version 2.2.0 or later (verified against commit c462977). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +42

POC: 0

EUVD-2026-17039 vulnerability details – vuln.today

Back

EUVD-2026-17039

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-17039

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code