CVE-2026-39411
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
08/04/2026
Last modified:
20/04/2026
Description
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes. Affected routes include /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui. This vulnerability is fixed in 2.1.48.
Impact
Base Score 3.x
5.00
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:lobehub:lobehub:*:*:*:*:*:node.js:*:* | 2.1.48 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428
- https://github.com/lobehub/lobehub/pull/13535
- https://github.com/lobehub/lobehub/releases/tag/v2.1.48
- https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97
- https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97