CVE-2026-23522Improper Access Control in Lobe-chat

CWE-284Improper Access ControlCWE-639Authorization Bypass Through User-Controlled KeyCWE-862Missing AuthorizationCWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes4 documents4 sources
Severity
3.7LOWNVD
EPSS
0.1%
top 83.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Lobehub Lobe-chatLobehub Chat
Timeline
PublishedJan 19
Latest updateJan 20

Description

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and targ

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages2 packages

CVEListV5lobehub/lobe-chat< 2.0.0-next.193
npmlobehub/chat1.143.2

🔴Vulnerability Details

2
OSV
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion2026-01-20
GHSA
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion2026-01-20

🕵️Threat Intelligence

1
Wiz
CVE-2026-23522 Impact, Exploitability, and Mitigation Steps | Wiz