Lobehub Chat vulnerabilities

CVE-2026-23835 [MEDIUM] CWE-73 LobeHub Vulnerable to Improper Authorization in Presigned Upload LobeHub Vulnerable to Improper Authorization in Presigned Upload ### Summary The file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter

CVE-2026-23733 [CRITICAL] CWE-94 Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) ### Summary A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE). ### Details The vulnerability exists in

CVE-2026-23522 [LOW] CWE-284 Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion ### Summary `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. ### Details `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if th

CVE-2025-62505 [LOW] CWE-918 Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module ### Vulnerability Description --- Vulnerability Overview - When the client sends an arbitrary URL array and impl: ["naive"] to the tRPC endpoint tools.search.crawlPages, the server issues outbound HTTP requests directly to those URLs. There is no defensive logic that restricts or validates requests to int

CVE-2025-59426 [MEDIUM] CWE-601 lobe-chat has an Open Redirect lobe-chat has an Open Redirect ### **Description** --- > Vulnerability Overview > The project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker c

CVE-2025-59417 [MEDIUM] CWE-79 Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages ### Summary We identified a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a comp

CVE-2024-32965 [HIGH] CWE-918 @lobehub/chat Server Side Request Forgery vulnerability @lobehub/chat Server Side Request Forgery vulnerability ### Summary lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. ### Details * visit https://chat-preview.lobehub.com/ * click settings -> llm -> openai * fill the OpenAI API Key you like * fill the proxy ad

CVE-2024-47066 [CRITICAL] CWE-918 lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964) lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964) ### Summary SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address. ### Po

CVE-2024-37895 [MEDIUM] CWE-200 Lobe Chat API Key Leak Lobe Chat API Key Leak ### Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. ### Details The attack process is described above. ### PoC Frontend: 1. Pass basic authentication (SSO/Access Code). 2. Set the Base URL to a private attack address. 3. Configure the reque

CVE-2024-32964 [CRITICAL] CWE-918 lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability ### Summary The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. ### Details * visit https://chat-preview.lobehub.com/settings/agent * you can

CVE-2024-24566 [MEDIUM] CWE-284 @lobehub/chat vulnerable to unauthorized access to plugins @lobehub/chat vulnerable to unauthorized access to plugins ### Description: When the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins without proper authorization (without password). ### Proof-of-Concept: Let’s suppose that application has been deployed with following command: ```sudo docker run -d -p 3210:3210 -e OPENAI_API_KEY=sk-[REDACTED] -e