FKIE_CVE-2026-23835

Vulnerability from fkie_nvd - Published: 2026-01-30 20:16 - Updated: 2026-04-15 00:35
Severity ?
5.7 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Summary
LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue.
References
security-advisories@github.comhttps://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base \u003e File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "LobeHub es una red de agentes humanos y de IA de c\u00f3digo abierto. Antes de la versi\u00f3n 1.143.3, la funci\u00f3n de carga de archivos en \u0027Knowledge Base \u0026gt; File Upload\u0027 no valida la integridad de la solicitud de carga, lo que permite a los usuarios interceptar y modificar los par\u00e1metros de la solicitud. Como resultado, es posible crear archivos arbitrarios en rutas anormales o no intencionadas. Adem\u00e1s, dado que \u0027lobechat.com\u0027 se basa en el par\u00e1metro de tama\u00f1o de la solicitud para calcular el uso del archivo, un atacante puede manipular este valor para tergiversar el tama\u00f1o real del archivo, como cargar un archivo de \u00271 GB\u0027 mientras lo reporta como \u002710 MB\u0027, o declarar falsamente un archivo de \u002710 MB\u0027 como un archivo de \u00271 GB\u0027. Al manipular el valor de tama\u00f1o proporcionado en la solicitud de carga del cliente, es posible eludir la cuota de carga mensual impuesta por el servidor y cargar continuamente archivos m\u00e1s all\u00e1 de los l\u00edmites de almacenamiento y tr\u00e1fico previstos. Este abuso puede resultar en una discrepancia entre el consumo real de recursos y los c\u00e1lculos de facturaci\u00f3n, causando un impacto financiero directo al operador del servicio. Adem\u00e1s, el agotamiento del almacenamiento o de los recursos relacionados puede provocar una disponibilidad degradada del servicio, incluyendo cargas fallidas, entrega de contenido retrasada o suspensi\u00f3n temporal de la funcionalidad de carga para usuarios leg\u00edtimos. Un \u00fanico usuario malicioso tambi\u00e9n puede afectar negativamente a otros usuarios o proyectos que comparten el mismo plan de suscripci\u00f3n, causando efectivamente una denegaci\u00f3n de servicio (DoS) indirecta. Adem\u00e1s, las cargas excesivas y no contabilizadas pueden distorsionar las m\u00e9tricas de monitoreo y sobrecargar los sistemas posteriores, como los procesos de copia de seguridad, el escaneo de malware y las tuber\u00edas de procesamiento de medios, socavando en \u00faltima instancia la estabilidad operativa general y la fiabilidad del servicio. La versi\u00f3n 1.143.3 contiene un parche para el problema."
    }
  ],
  "id": "CVE-2026-23835",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-30T20:16:41.893",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.