Broken Object-Level Authorization in LobeChat Server-Database Deployments
CVE-2026-58580
6MEDIUM
What is CVE-2026-58580?
LobeChat versions up to 2.2.9 are susceptible to a broken object-level authorization vulnerability in the MessageModel. The flaw exists in methods such as updateMessagePlugin and findMessagePlugin, where user-specific checks are omitted. Authenticated users who possess knowledge of another user's message identifier can exploit this vulnerability to overwrite the victim's plugin tool-call metadata, including states and error records. This malicious alteration of data could lead to misleading content being displayed or operations being executed under false pretenses, thus impacting the integrity and functionality of the application.
Affected Version(s)
lobehub 0 <= 2.2.9
