Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion
- Severity:
- Low
Description
knowledgeBase.removeFilesFromKnowledgeBase tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.143.2
References
Related Issues
- LobeHub Vulnerable to Improper Authorization in Presigned Upload - CVE-2026-23835
- SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - CVE-2025-67647
- MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 - CVE-2025-67898
- Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module - CVE-2025-62505
- Tags:
- npm
- @lobehub/chat
Anything's wrong? Let us know Last updated on January 20, 2026