CVE-2026-23522
CVE-2026-23522 affects LobeChat. Prior to version 2.0.0-next.193, the tRPC endpoint knowledgeBase.removeFilesFromKnowledgeBase lacks ownership verification because the userId filter in the DB query is commented out, enabling an authenticated user to delete files from other users’ knowledge bases ...