LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.
Metrics
Affected Vendors & Products
References
History
Thu, 02 Jul 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Lobehub
Lobehub lobehub |
|
| Vendors & Products |
Lobehub
Lobehub lobehub |
Thu, 02 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users. | |
| Title | LobeChat 2.2.9 - Broken Object Level Authorization via Chat-Group Agent Operations | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-02T19:43:16.068Z
Reserved: 2026-07-02T15:38:18.929Z
Link: CVE-2026-59100
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-02T22:15:03Z