CVE-2026-54157
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
CVSS Score
9.0
EPSS Score
0.0%
EPSS Percentile
0th
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.
| CWE | CWE-918 |
| Vendor | lobehub |
| Product | lobehub |
| Published | Jun 23, 2026 |
| Last Updated | Jun 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for lobehub lobehub
Be the first to know when new critical vulnerabilities affecting lobehub lobehub are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
High
Affected Versions
lobehub / lobehub
< 2.1.57