CVE-2026-23522
Authorization Bypass in LobeChat Allows Unauthorized Knowledge Base File Deletion
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lobehub | lobe_chat | to 2.0.0-next.193 (exc) |
| lobehub | chat | to 2.0.0-next.192 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-23522 is an Insecure Direct Object Reference (IDOR) vulnerability in the LobeChat open source chat application, specifically in the tRPC endpoint knowledgeBase.removeFilesFromKnowledgeBase. Before version 2.0.0-next.193, authenticated users could delete files from any knowledge base without verifying ownership because the userId filter in the database query was commented out. This means attackers who know a target knowledge base ID and file ID can delete files belonging to other users. Although these IDs are random and not easily enumerable, they may leak through shared links, logs, or referrer headers. The vulnerability allows unauthorized deletion of files, which is a critical security flaw. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized deletion of files from any user's knowledge base, potentially disrupting functionalities such as Retrieval-Augmented Generation (RAG) or AI features that rely on those files. It can cause loss of important or proprietary data. While exploitation requires knowledge of specific knowledge base and file IDs, these may be leaked, making the attack feasible. The impact is primarily on data integrity due to unauthorized file deletion. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the tRPC endpoint knowledgeBase.removeFilesFromKnowledgeBase that specify knowledge base IDs and file IDs not owned by the authenticated user. A proof-of-concept involves sending a POST request with an authenticated session token and victim's KB and file IDs, resulting in deletion. Network monitoring tools or logs can be inspected for such requests. Specific commands are not provided in the resources, but inspecting HTTP POST requests to the vulnerable endpoint and verifying ownership checks in the backend can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade LobeChat to version 2.0.0-next.193 or later, where the vulnerability is patched by adding proper userId authorization checks in the removeFilesFromKnowledgeBase method to ensure only owners can delete files. Additionally, verifying that file size validation is done against actual S3 metadata rather than client input helps prevent related security issues. Until the upgrade, restrict access to the vulnerable endpoint and monitor for suspicious deletion requests. [1, 2]