LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.
References
Configurations
No configuration.
History
02 Jul 2026, 20:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-02 20:17
Updated : 2026-07-06 18:52
NVD link : CVE-2026-59100
Mitre link : CVE-2026-59100
CVE.ORG link : CVE-2026-59100
JSON object : View
Products Affected
No product.
CWE
CWE-639
Authorization Bypass Through User-Controlled Key
