What happened
CVE-2026-59100 (CVSS 5.0 Medium) was published to NVD on 2 July 2026. LobeChat through 2.2.9 contains a broken object-level authorisation (BOLA/IDOR) vulnerability. The group-agents API endpoints accept user-supplied group identifiers without verifying that the requesting user owns the targeted group, allowing any authenticated user to read, overwrite, or delete another user's chat-group agent configurations.
Why it matters
LobeChat is a widely deployed open-source AI chat platform. Agent configurations stored in chat groups may contain custom system prompts, tool credentials, and behavioural settings. BOLA enables an authenticated attacker to silently exfiltrate or tamper with other users' AI agent setups, potentially injecting malicious instructions into agents that will run under the victim's identity.
Attack vector
Authenticated attackers invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup API endpoints with arbitrary group identifiers belonging to other users. The API performs no ownership verification, returning or modifying the target user's agent group data.
Affected systems
LobeChat (lobehub/lobehub) ≤ 2.2.9
Mitigation
Upgrade LobeChat to the version incorporating patch commit https://github.com/lobehub/lobehub/commit/9ed5a7e20d8a67c431265f5a252e9559d9920907. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-59100