Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 02 Jul 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Lobehub
Lobehub lobehub |
|
| Vendors & Products |
Lobehub
Lobehub lobehub |
Thu, 02 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users. | |
| Title | LobeChat 2.2.9 - Broken Object Level Authorization via Chat-Group Agent Operations | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-02T19:43:16.068Z
Reserved: 2026-07-02T15:38:18.929Z
Link: CVE-2026-59100
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-02T22:15:03Z