Skip to main content

Lobehub

5 CVEs product

Monthly

CVE-2026-59100 LOW POC PATCH Monitor

Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate chat-group agent data belonging to other users by supplying arbitrary group identifiers to unguarded API operations. The getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup endpoints accept caller-controlled group IDs without validating ownership, enabling cross-user data access and modification. Publicly available exploit code exists per GitHub issue #16537, though the CVE is absent from the CISA KEV catalog and carries a CVSS 4.0 score of 2.3, indicating limited blast radius; real-world risk is elevated primarily in shared multi-tenant LobeChat deployments.

Authentication Bypass Lobehub
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-59098 HIGH POC PATCH This Week

Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.

Authentication Bypass Lobehub
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-59095 HIGH POC PATCH This Week

Server-side request forgery in LobeChat before 2.2.10-canary.18 lets authenticated users coerce the server into issuing internal HTTP requests to attacker-chosen URLs, enabling disclosure of internal service responses and cloud credentials from instance metadata endpoints. The flaw stems from two endpoints - skill import (importFromUrl) and topic cover update (fetchImageFromUrl) - calling the global fetch instead of the project's ssrf-safe-fetch wrapper. Publicly available exploit code exists and a vendor patch has shipped, though it is not listed in CISA KEV.

SSRF Lobehub
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-58580 MEDIUM This Month

Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.

Authentication Bypass Lobehub
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-58578 HIGH POC PATCH This Week

Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by importing a GitHub-hosted skill whose repository URL path contains a catastrophic-backtracking regex pattern. Because the malicious basePath is compiled into a dynamic regular expression in findSkillMd and matched synchronously against archive entries, a single request blocks the shared event loop for tens of seconds, denying service to all concurrent users. Publicly available exploit code exists and a vendor patch is available, though there is no public exploit identified as being used in active exploitation.

Node.js Denial Of Service Lobehub
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate chat-group agent data belonging to other users by supplying arbitrary group identifiers to unguarded API operations. The getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup endpoints accept caller-controlled group IDs without validating ownership, enabling cross-user data access and modification. Publicly available exploit code exists per GitHub issue #16537, though the CVE is absent from the CISA KEV catalog and carries a CVSS 4.0 score of 2.3, indicating limited blast radius; real-world risk is elevated primarily in shared multi-tenant LobeChat deployments.

Authentication Bypass Lobehub
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.

Authentication Bypass Lobehub
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Server-side request forgery in LobeChat before 2.2.10-canary.18 lets authenticated users coerce the server into issuing internal HTTP requests to attacker-chosen URLs, enabling disclosure of internal service responses and cloud credentials from instance metadata endpoints. The flaw stems from two endpoints - skill import (importFromUrl) and topic cover update (fetchImageFromUrl) - calling the global fetch instead of the project's ssrf-safe-fetch wrapper. Publicly available exploit code exists and a vendor patch has shipped, though it is not listed in CISA KEV.

SSRF Lobehub
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM This Month

Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.

Authentication Bypass Lobehub
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by importing a GitHub-hosted skill whose repository URL path contains a catastrophic-backtracking regex pattern. Because the malicious basePath is compiled into a dynamic regular expression in findSkillMd and matched synchronously against archive entries, a single request blocks the shared event loop for tens of seconds, denying service to all concurrent users. Publicly available exploit code exists and a vendor patch is available, though there is no public exploit identified as being used in active exploitation.

Node.js Denial Of Service Lobehub
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy