CVE-2026-59100
MediumCVSS 5.0Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
LobeChat through version 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.
Risk Assessment
The risk involves unauthorized access to sensitive agent data and the ability to modify or delete it, potentially leading to integrity and confidentiality breaches and disruption of other users' chat group operations.
Recommendation
It is recommended to immediately upgrade LobeChat to a version later than 2.2.9 and implement object-level access controls to ensure users can only manipulate their own chat group data.
Original NVD description (English source)
LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.

