CVE-2026-59098
Received Received - Intake

Broken Access Control in LobeChat RAG Semantic Search

Vulnerability report for CVE-2026-59098, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

LobeChat through 2.2.9 contains a broken access control vulnerability in the retrieval-augmented-generation semantic search functionality that allows authenticated attackers to access other users' data by exploiting missing user-identifier predicates in the chunk model semanticSearch method. Attackers can supply arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths to retrieve text content, file names, and metadata belonging to other users.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59098 is a broken access control vulnerability in LobeChat version 2.2.9 and earlier, specifically in the retrieval-augmented-generation (RAG) semantic search functionality.

The flaw allows authenticated attackers to bypass authorization controls by exploiting missing user-identifier predicates in the semanticSearch method. This means attackers can supply arbitrary victim file or knowledge-base identifiers to retrieve sensitive information such as text content, file names, and metadata belonging to other users.

The root cause is that the system does not properly scope file or knowledge base lookups to the caller's user ID or workspace, enabling cross-user document disclosure.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive data belonging to other users in a multi-user deployment of LobeChat.

  • Attackers who are authenticated can access private documents, including text content, file names, and metadata of other users.
  • This exposure can compromise confidentiality and privacy of user data.
  • It may result in data leakage that could harm individuals or organizations relying on LobeChat for secure knowledge management.
Detection Guidance

This vulnerability involves unauthorized access to other users' data through the retrieval-augmented-generation semantic search functionality by exploiting missing user-identifier predicates. Detection would involve monitoring or testing the semanticSearch and semanticSearchForChat API endpoints for improper access controls.

Specifically, you can attempt to perform authenticated semantic search queries supplying arbitrary victim file or knowledge-base identifiers to see if data from other users is accessible, which indicates the vulnerability.

Since this is an application-level authorization bypass, network-level commands alone may not detect it. Instead, you should test the API endpoints with crafted requests that include victim identifiers.

Example approach: Use an HTTP client (like curl or Postman) to send authenticated requests to the semanticSearch API endpoint with file or knowledge base IDs that belong to other users. If the response returns data not owned by the authenticated user, the vulnerability is present.

  • Use curl to send a POST request to the semanticSearch endpoint with a victim's knowledge base ID in the payload.
  • Check if the response contains text content, file names, or metadata belonging to other users.
  • Monitor logs for unusual access patterns or queries that include identifiers not belonging to the authenticated user.
Mitigation Strategies

The immediate mitigation is to apply the official patch that scopes knowledge base file resolution to the caller's user ID and workspace, preventing unauthorized access.

This fix involves modifying the KnowledgeBaseSearchService to include a workspace-aware filter that enforces ownership checks on file and knowledge base identifiers.

If patching immediately is not possible, restrict access to the affected semantic search API endpoints to trusted users only and monitor for suspicious activity.

Additionally, review and audit user permissions and access controls to ensure no unauthorized cross-user data access is possible.

  • Apply the patch from the official repository that adds workspace predicates to knowledge base file queries.
  • Restrict or disable the retrieval-augmented-generation semantic search feature until patched.
  • Monitor logs for unauthorized access attempts to other users' data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart