CVE-2026-39411

MEDIUM 5.0

LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

CVSS Score

5.0

EPSS Score

0.0%

EPSS Percentile

0th

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes. Affected routes include /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui. This vulnerability is fixed in 2.1.48.

CWE	CWE-287 CWE-290 CWE-345
Vendor	lobehub
Product	lobehub
Published	Apr 8, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for lobehub lobehub

Be the first to know when new medium vulnerabilities affecting lobehub lobehub are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

lobehub / lobehub

< 2.1.48

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97 github.com: https://github.com/lobehub/lobehub/pull/13535 github.com: https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428 github.com: https://github.com/lobehub/lobehub/releases/tag/v2.1.48