CVE-2026-23522

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and target's file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r

Configurations

No configuration.

History

19 Jan 2026, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-19 17:15

Updated : 2026-01-26 15:05

NVD link : CVE-2026-23522

Mitre link : CVE-2026-23522

CVE.ORG link : CVE-2026-23522

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

CWE-639

Authorization Bypass Through User-Controlled Key

CWE-862

Missing Authorization

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

3.7 /10