CVE-2026-59095

Severity CVSS v4.0:
HIGH
Type:
CWE-918 Server-Side Request Forgery (SSRF)
Publication date:
02/07/2026
Last modified:
02/07/2026

Description

LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints, which use the global fetch without the project's ssrf-safe-fetch wrapper. Attackers can target internal addresses such as cloud instance metadata endpoints through these unprotected code paths to disclose internal service responses and cloud credentials.