Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion
- Severity:
- Low
Description
knowledgeBase.removeFilesFromKnowledgeBase tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.143.2
References
Related Issues
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
- StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings - CVE-2026-32104
- payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments) - CVE-2026-25574
- Tags:
- npm
- @lobehub/chat
Anything's wrong? Let us know Last updated on January 20, 2026