CVE-2026-39411
Description
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes. Affected routes include /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui. This vulnerability is fixed in 2.1.48.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@lobehub/lobehubnpm | < 2.1.48 | 2.1.48 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428nvdPatchWEB
- github.com/advisories/GHSA-5mwj-v5jw-5c97ghsaADVISORY
- github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39411ghsaADVISORY
- github.com/lobehub/lobehub/pull/13535nvdIssue TrackingWEB
- github.com/lobehub/lobehub/releases/tag/v2.1.48nvdProductWEB
News mentions
0No linked articles in our index yet.