Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion
- Severity:
- Low
Description
knowledgeBase.removeFilesFromKnowledgeBase tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.143.2
References
Related Issues
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
- Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click - CVE-2026-43941
- lobe-chat has an Open Redirect - CVE-2025-59426
You might also like:
- Tags:
- npm
- @lobehub/chat
Anything's wrong? Let us know Last updated on January 20, 2026