Vulnerability  ·  2026-07-03

LobeChat — Broken Object-Level Authorization Allows Authenticated Users to Access and Modify Other Users' Agent Group Data (CVE-2026-59100)

VulnerabilityMedium impactGlobalCVE-2026-59100
CVE-2026-59100 (CVSS 5.0 Medium) was published to NVD on 2 July 2026. LobeChat through 2.2.9 contains a broken object-level authorisation (BOLA/IDOR) vulnerability. The group-agents API endpoints accept user-supplied group identifiers without verifying that the requesting user owns the targeted group, allowing any authenticated user to read, overwrite, or delete another user's chat-group agent configurations.
LobeChat is a widely deployed open-source AI chat platform. Agent configurations stored in chat groups may contain custom system prompts, tool credentials, and behavioural settings. BOLA enables an authenticated attacker to silently exfiltrate or tamper with other users' AI agent setups, potentially injecting malicious instructions into agents that will run under the victim's identity.
Authenticated attackers invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup API endpoints with arbitrary group identifiers belonging to other users. The API performs no ownership verification, returning or modifying the target user's agent group data.
LobeChat (lobehub/lobehub) ≤ 2.2.9
Upgrade LobeChat to the version incorporating patch commit https://github.com/lobehub/lobehub/commit/9ed5a7e20d8a67c431265f5a252e9559d9920907. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-59100
Sources
NVD — CVE-2026-59100LobeChat patch commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →