What happened
CVE-2026-59100 (CVSS 5.0 Medium, published 2026-07-02) affects LobeChat through version 2.2.9. The application contains a broken object-level authorization (BOLA/IDOR) flaw: authenticated attackers can supply arbitrary group identifiers to the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup API endpoints, gaining read and write access to other users' chat-group agent configurations without authorisation. The fix was committed at https://github.com/lobehub/lobehub/commit/9ed5a7e20d8a67c431265f5a252e9559d9920907.
Why it matters
LobeChat is a widely used open-source AI chat platform supporting multi-model LLM conversations and agent configuration. BOLA in agent group management allows an authenticated attacker (e.g. a free-tier user on a shared deployment) to enumerate, read, modify, or delete other users' agent definitions — which may include system prompts, tool configurations, API keys embedded in agent settings, and linked workflow logic. In enterprise LobeChat deployments this can expose proprietary AI agent logic and credentials across tenants.
Attack vector
Authenticated attacker calls getGroupAgents, updateAgentInGroup, or removeAgentsFromGroup with an arbitrary victim's group ID; server returns or mutates the victim's agent configuration without ownership validation.
Affected systems
LobeChat (lobehub/lobe-chat) ≤ 2.2.9
Mitigation
Upgrade LobeChat to a version containing the fix at commit 9ed5a7e20d8a67c431265f5a252e9559d9920907 (post-2.2.9). GitHub: https://github.com/lobehub/lobehub/commit/9ed5a7e20d8a67c431265f5a252e9559d9920907