CVE-2026-23835
Unknown Unknown - Not Provided
Insecure File Upload in LobeHub Enables Quota Bypass and DoS

Publication date: 2026-01-30

Last updated on: 2026-01-30

Assigner: GitHub, Inc.

Description
LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-01-30
Generated
2026-05-07
AI Q&A
2026-01-30
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23835
EUVD
EUVD-2026-5006
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
lobehub lobehub to 1.143.3 (exc)
lobehub lobehub 1.143.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in LobeHub versions prior to 1.143.3 involves improper validation of file upload requests in the Knowledge Base > File Upload feature. Attackers can intercept and modify upload request parameters, such as the file name and size, allowing them to upload arbitrary files to unintended filesystem paths and manipulate the reported file size. This enables bypassing upload size restrictions and quotas, leading to unauthorized file uploads and resource misuse. [1]


How can this vulnerability impact me? :

The vulnerability can cause exhaustion of storage and related resources, degraded service availability including failed uploads and delayed content delivery, and temporary suspension of upload functionality for legitimate users. It can also cause financial losses due to discrepancies between actual resource consumption and billing calculations. Additionally, a malicious user can indirectly cause denial of service (DoS) to others sharing the same subscription plan. Excessive unaccounted uploads may distort monitoring metrics and overload downstream systems such as backup, malware scanning, and media processing pipelines, undermining operational stability and service reliability. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring and intercepting POST requests to the endpoint `/trpc/lambda/file.createFile?batch=1` and inspecting the upload request parameters, specifically the file name and size fields, for anomalies or unauthorized modifications. Tools like Burp Suite can be used to intercept and analyze these requests. Additionally, checking for discrepancies between reported file sizes and actual storage usage can indicate exploitation. Commands to capture and inspect such traffic might include using network packet capture tools like `tcpdump` or `Wireshark` filtered for the relevant endpoint, for example: `tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep '/trpc/lambda/file.createFile?batch=1'`. However, specific commands to detect this vulnerability are not detailed in the provided resources. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade LobeHub to version 1.143.3 or later, where the vulnerability has been patched. This update includes proper validation of upload request parameters to prevent unauthorized file creation and manipulation of file size values. Until the patch is applied, monitoring upload requests for suspicious activity and restricting access to the file upload feature may help reduce risk. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart