What is the CVSS score of EUVD-2026-17039?

EUVD-2026-17039 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Lollms are affected by EUVD-2026-17039?

parisneo/lollms versions before 2.2.0 contain an authentication bypass flaw in friend request handling that allows any logged-in user to manipulate other users' social connections, potentially…. A patch is available.

How to fix or mitigate EUVD-2026-17039?

Within 24 hours: Inventory all parisneo/lollms installations and document current versions. Within 7 days: Upgrade all instances to version 2.2.0 or later (commit c462977 or newer). Within 30 days: Audit friendship request logs for unauthorized modifications; implement additional authorization controls on social graph endpoints; conduct user awareness training on social engineering risks.

Lollms EUVD-2026-17039

| CVE-2026-0562 HIGH

Incorrect Authorization (CWE-863)

2026-03-29 security@huntr.dev

Authentication Bypass Lollms

8.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.3 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 16:22 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 06:11 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2.2.0

EUVD ID Assigned

Mar 29, 2026 - 18:22 euvd

EUVD-2026-17039

Analysis Generated

Mar 29, 2026 - 18:22 vuln.today

CVE Published

Mar 29, 2026 - 18:16 nvd

HIGH 8.3

DescriptionCVE.org

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respond_request() function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the /api/friends/requests/{friendship_id} endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.

AnalysisAI

{friendship_id} endpoint. The vulnerability enables any logged-in user to accept or reject friendship requests by manipulating the friendship_id parameter without authorization checks, leading to unauthorized social graph manipulation and potential account compromise via social engineering. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as any user

Delivery

Access friendship ID belonging to other users

Exploit

Call /api/friends/requests endpoint without authorization checks

Execution

Manipulate friend requests

Impact

Violate privacy and friendship integrity