CVE Catalog

CVE-2026-59100

MediumCVSS 5.0
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

LobeChat through version 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.

Risk Assessment

The risk involves unauthorized access to sensitive agent data and the ability to modify or delete it, potentially leading to integrity and confidentiality breaches and disruption of other users' chat group operations.

Recommendation

It is recommended to immediately upgrade LobeChat to a version later than 2.2.9 and implement object-level access controls to ensure users can only manipulate their own chat group data.

Original NVD description (English source)

LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS