CVE-2024-24566

MEDIUM

lobehub/lobe_chat < 0.122.4 - Unauthenticated Plugin Access via Improper Access Control

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-24566. PoCs published by dastaj.

AI-analyzed exploit summary The repository provides a detailed technical analysis and proof-of-concept steps for CVE-2023-48309, an authentication bypass vulnerability in NextAuth.js. It includes step-by-step instructions for exploiting the vulnerability, along with references to patches and advisories.

Description

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins without proper authorization (without password). This vulnerability is patched in 0.122.4.

Exploits (1)

github WRITEUP 2 stars
by dastaj · poc
https://github.com/dastaj/CVEs/tree/main/CVE-2024-24566

The repository provides a detailed technical analysis and proof-of-concept steps for CVE-2023-48309, an authentication bypass vulnerability in NextAuth.js. It includes step-by-step instructions for exploiting the vulnerability, along with references to patches and advisories.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: NextAuth.js prior to v4.24.5
No auth needed
Prerequisites: Access to a vulnerable NextAuth.js application · Ability to manipulate cookies
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.3
EPSS 0.0014
EPSS Percentile 34.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-284
Status published
Products (2)
lobehub/chat 0 - 0.122.4npm
lobehub/lobe_chat < 0.122.4
Published Jan 31, 2024
Tracked Since Feb 18, 2026