{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49765?format=json","vulnerability_id":"VCID-fkv5-wm1u-pfh5","summary":"Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion\n`knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.","aliases":[{"alias":"CVE-2026-23522"},{"alias":"GHSA-j7xp-4mg9-x28r"}],"fixed_packages":[],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73490?format=json","purl":"pkg:npm/%40lobehub/chat@1.143.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fkv5-wm1u-pfh5"},{"vulnerability":"VCID-fxza-2edn-ubhh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.143.2"}],"references":[{"reference_url":"https://github.com/lobehub/lobe-chat","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lobehub/lobe-chat"},{"reference_url":"https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23522","reference_id":"CVE-2026-23522","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23522"},{"reference_url":"https://github.com/advisories/GHSA-j7xp-4mg9-x28r","reference_id":"GHSA-j7xp-4mg9-x28r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j7xp-4mg9-x28r"},{"reference_url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r","reference_id":"GHSA-j7xp-4mg9-x28r","reference_type":"","scores":[],"url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r"}],"weaknesses":[{"cwe_id":284,"name":"Improper Access Control","description":"The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fkv5-wm1u-pfh5"}