Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable tRPC endpoint requires low-privilege authentication and knowledge of a non-enumerable ID (AC:H/PR:L); integrity fully compromised for victim's records; confidentiality limited to plugin read-back; no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibling methods apply, and findMessagePlugin reads back by id alone. Reachable via the corresponding tRPC message procedures, an authenticated user who knows another user's message identifier can overwrite that victim's plugin tool-call metadata, plugin state/error, text-to-speech and translation records on the same instance, and the tampered content is served back to the victim. Exploitation requires knowledge of the victim's non-enumerable message identifier.
AnalysisAI
Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the LobeChat deployment must be running in server-database mode - local single-user deployments are not affected; (2) the attacker must hold a valid authenticated session on the same instance, matching CVSS PR:L - unauthenticated external attackers cannot reach the tRPC procedures; and (3) the attacker must possess prior knowledge of the target victim's specific message identifier, which the vulnerability description explicitly characterizes as non-enumerable, ruling out brute-force or sequential enumeration as practical discovery vectors. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.0 (Medium) is a reasonable reflection of the actual risk envelope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user on a shared LobeChat server-database instance acquires a co-user's message ID through interception of application traffic, a companion information-disclosure path, or targeted social engineering. The attacker calls the tRPC updateTranslate or updatePluginState procedure with the victim's message ID and adversarially crafted payload content, bypassing the missing userId authorization check, and the victim subsequently receives the poisoned translation or plugin state in their chat interface as if it were their own conversation data. … |
| Remediation | No vendor-released patched version is independently confirmed from the available references - the GitHub issue tracker entry and VulnCheck advisory disclose the flaw but do not reference a tagged fixed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Server-side request forgery in LobeChat before 2.2.10-canary.18 lets authenticated users coerce the server into issuing
Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by impor
Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' document
Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate c
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41422
GHSA-vc6m-gvqm-4jf2