CVE-2024-24566

Name of the Vulnerable Software and Affected Versions Lobe Chat versions prior to 0.122.4

Description The issue allows access to plugins without proper authorization when the application is password-protected and deployed with the ACCESS CODE option. This means that even though the application requires a password to access the chat, plugins can still be interacted with without entering the password. For example, an HTTP request to the "/api/plugin/gateway" endpoint can be made without providing the ACCESS CODE, allowing unauthorized access to plugins.

Recommendations For versions prior to 0.122.4, update to version 0.122.4 or later to resolve the issue. As a temporary workaround, consider verifying the ACCESS CODE for HTTP requests to the /api/plugin/ route to minimize the risk of exploitation.