CVE-2026-59100
LobeChat 2.2.9 - Broken Object Level Authorization via Chat-Group Agent Operations
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
0th
LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.
| CWE | CWE-639 |
| Vendor | lobehub |
| Product | lobehub |
| Published | Jul 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for lobehub lobehub
Be the first to know when new medium vulnerabilities affecting lobehub lobehub are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
lobehub / lobehub
0 โค 2.2.9
References
github.com: https://github.com/lobehub/lobehub/issues/16537 github.com: https://github.com/lobehub/lobehub/pull/16586 github.com: https://github.com/lobehub/lobehub/commit/9ed5a7e20d8a67c431265f5a252e9559d9920907 vulncheck.com: https://www.vulncheck.com/advisories/lobechat-broken-object-level-authorization-via-chat-group-agent-operations
Credits
George Chen