CVE-2026-23835: LobeHub Vulnerable to Improper Authorization in Presigned Upload

February 1, 2026

The file upload feature in Knowledge Base > File Upload does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since lobechat.com relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a 1 GB file while reporting it as 10 MB, or falsely declaring a 10 MB file as a 1 GB file.

References

github.com/advisories/GHSA-wrrr-8jcv-wjf5
github.com/lobehub/lobehub
github.com/lobehub/lobehub/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5
nvd.nist.gov/vuln/detail/CVE-2026-23835

Code Behaviors & Features

Detect and mitigate CVE-2026-23835 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →