Description

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and target's file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch.

INFO

Published Date :

2026-01-19T16:53:32.371Z

Last Modified :

2026-01-20T21:35:39.441Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23522 vulnerability.

Vendors Products
Lobehub
  • Lobe Chat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23522.

URL Resource
https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6 cve-icon cve-icon
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact