CVE-2026-23522 Overview
LobeChat, an open source chat application platform, contains a broken access control vulnerability in versions prior to 2.0.0-next.193. The knowledgeBase.removeFilesFromKnowledgeBase tRPC endpoint allows authenticated users to delete files from any knowledge base without verifying ownership. This occurs because the userId filter in the database query is commented out, enabling attackers to delete other users' knowledge base files if they know the target knowledge base ID and file ID.
Critical Impact
Authenticated attackers can delete arbitrary files from any user's knowledge base, potentially causing data loss and disruption of service for affected users.
Affected Products
- LobeChat versions prior to 2.0.0-next.193
Discovery Timeline
- 2026-01-19 - CVE CVE-2026-23522 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-23522
Vulnerability Analysis
This vulnerability represents a classic broken access control flaw (CWE-284) where authorization checks are improperly implemented. The core issue lies in the removeFilesFromKnowledgeBase function within the database model layer, where a critical userId equality check was commented out during development or debugging and never restored.
When the function executes a delete operation against the knowledgeBaseFiles table, it only validates the knowledgeBaseId and fileId parameters, completely bypassing user ownership verification. This means any authenticated user can craft a request to delete files belonging to other users, provided they can obtain the target's knowledge base ID and file ID.
While practical exploitation requires knowing these random IDs, they may leak through various channels including shared links, application logs, referrer headers, or other information disclosure vectors.
Root Cause
The root cause is a commented-out authorization check in the database query logic. The line eq(knowledgeBaseFiles.userId, this.userId) was present in the code but disabled by being placed within a comment, effectively removing the user ownership validation from the delete operation. This allowed the delete query to execute against any knowledge base file matching the provided IDs, regardless of ownership.
Attack Vector
The attack is network-based and requires authentication to the LobeChat platform. An attacker would need to:
- Authenticate to the LobeChat application
- Obtain a target user's knowledge base ID and file ID through reconnaissance
- Invoke the knowledgeBase.removeFilesFromKnowledgeBase tRPC endpoint with the target's IDs
- Successfully delete the victim's files without authorization
The following code shows the vulnerable implementation and the security patch:
// VULNERABLE CODE (before patch):
removeFilesFromKnowledgeBase = async (knowledgeBaseId: string, ids: string[]) => {
return this.db.delete(knowledgeBaseFiles).where(
and(
eq(knowledgeBaseFiles.knowledgeBaseId, knowledgeBaseId),
inArray(knowledgeBaseFiles.fileId, ids),
// eq(knowledgeBaseFiles.userId, this.userId), // Authorization check DISABLED
),
);
};
// PATCHED CODE (after fix):
removeFilesFromKnowledgeBase = async (knowledgeBaseId: string, ids: string[]) => {
return this.db
.delete(knowledgeBaseFiles)
.where(
and(
eq(knowledgeBaseFiles.userId, this.userId), // Authorization check RESTORED
eq(knowledgeBaseFiles.knowledgeBaseId, knowledgeBaseId),
inArray(knowledgeBaseFiles.fileId, ids),
),
);
};
Source: GitHub Commit Details
Detection Methods for CVE-2026-23522
Indicators of Compromise
- Unexpected deletion of knowledge base files without user action
- API audit logs showing removeFilesFromKnowledgeBase calls targeting multiple knowledge base IDs from a single user
- User reports of missing files from their knowledge bases
Detection Strategies
- Monitor tRPC endpoint calls for knowledgeBase.removeFilesFromKnowledgeBase and flag requests where the authenticated user ID doesn't match the knowledge base owner
- Implement rate limiting and anomaly detection on file deletion operations
- Review application logs for bulk deletion patterns or requests targeting knowledge bases not owned by the requesting user
Monitoring Recommendations
- Enable detailed audit logging for all knowledge base modification operations
- Set up alerts for unusual deletion activity patterns across multiple knowledge bases
- Regularly review access logs for the tRPC endpoints to identify potential exploitation attempts
How to Mitigate CVE-2026-23522
Immediate Actions Required
- Upgrade LobeChat to version 2.0.0-next.193 or later immediately
- Review knowledge base deletion logs to identify any potential unauthorized deletions
- Notify users if suspicious deletion activity is detected on their knowledge bases
Patch Information
The vulnerability is addressed in LobeChat version 2.0.0-next.193. The fix restores the userId authorization check in the removeFilesFromKnowledgeBase function, ensuring that users can only delete files from knowledge bases they own. The patch can be reviewed in the GitHub Commit and additional details are available in the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the knowledge base file deletion functionality
- Implement network-level access controls to restrict API access to trusted users only
- Deploy a web application firewall (WAF) rule to monitor and potentially block suspicious removeFilesFromKnowledgeBase requests
# Upgrade LobeChat to patched version
npm update @lobehub/lobe-chat@2.0.0-next.193
# Or using yarn
yarn upgrade @lobehub/lobe-chat@2.0.0-next.193
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
