CVE-2026-23522

Name of the Vulnerable Software and Affected Versions LobeChat versions prior to 2.0.0-next.193

Description LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, the knowledgeBase.removeFilesFromKnowledgeBase tRPC endpoint allows authenticated users to delete files from any knowledge base without proper ownership verification. The userId filter in the database query is commented out, enabling attackers to delete other users' knowledge base files if they know the knowledge base ID and file ID. Practical exploitation requires knowing the target's knowledge base ID and file ID, which may leak through shared links, logs, or referrer headers. This missing authorization check is a critical security flaw.

Recommendations Upgrade to version 2.0.0-next.193 to receive a patch.