Broken Object-Level Authorization in LobeChat Server-Database Deployments
CVE-2026-58580

6MEDIUM

Key Information:

Vendor

Lobehub

Status
Vendor
CVE Published:
2 July 2026

What is CVE-2026-58580?

LobeChat versions up to 2.2.9 are susceptible to a broken object-level authorization vulnerability in the MessageModel. The flaw exists in methods such as updateMessagePlugin and findMessagePlugin, where user-specific checks are omitted. Authenticated users who possess knowledge of another user's message identifier can exploit this vulnerability to overwrite the victim's plugin tool-call metadata, including states and error records. This malicious alteration of data could lead to misleading content being displayed or operations being executed under false pretenses, thus impacting the integrity and functionality of the application.

Affected Version(s)

lobehub 0 <= 2.2.9

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.