Plattform
nodejs
Komponente
@lobehub/lobehub
Behoben in
2.1.49
2.1.48
CVE-2026-39411 describes an Authentication Bypass vulnerability within the @lobehub/lobehub library. This flaw allows attackers to bypass authentication mechanisms by manipulating the X-lobe-chat-auth header, potentially granting unauthorized access to sensitive resources. The vulnerability affects versions prior to 2.1.48 and has been publicly disclosed on 2026-04-08. A fix is available in version 2.1.48.
The core of this vulnerability lies in the inadequate authentication of the X-lobe-chat-auth header. This header is intended to authenticate requests to the webapi layer, but the implementation relies on a simple XOR obfuscation using a hardcoded key. Because the key is publicly available within the repository, attackers can easily calculate the XOR value for arbitrary JSON payloads, effectively forging valid authentication tokens. This allows them to bypass authentication and access protected routes, including POST /webapi/chat/[provider], GET /webapi/models/[provider], POST /webapi/models/[provider]/pull, and POST /webapi/create-image/comfyui. Successful exploitation could lead to unauthorized access to model data, chat logs, and the ability to trigger image creation processes, potentially impacting data confidentiality and integrity.
CVE-2026-39411 is not currently listed on KEV or EPSS. Given the ease of exploitation due to the hardcoded XOR key, the probability of exploitation is considered medium. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's nature and the availability of the XOR key. The vulnerability was publicly disclosed on 2026-04-08.
Applications and services utilizing the @lobehub/lobehub library in their authentication flow are at risk. This includes projects that rely on the library for managing chat interactions, model access, and image creation. Shared hosting environments where multiple applications share the same @lobehub/lobehub installation are particularly vulnerable, as a compromise in one application could potentially affect others.
• nodejs / server:
npm list @lobehub/lobehub• nodejs / server:
npm audit @lobehub/lobehub• generic web:
Inspect HTTP requests for the X-lobe-chat-auth header. Look for unusual or unexpected values. Check access logs for requests to /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui with potentially forged authentication headers.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-39411 is to upgrade to version 2.1.48 or later of the @lobehub/lobehub library. This version incorporates a more robust authentication mechanism that eliminates the reliance on the vulnerable XOR obfuscation. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests with suspicious X-lobe-chat-auth headers. Specifically, look for headers containing unusual characters or patterns that deviate from expected values. Additionally, review and restrict access to the affected webapi endpoints to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to access protected webapi routes with a forged X-lobe-chat-auth header – the request should be rejected.
Aktualisieren Sie LobeHub auf Version 2.1.48 oder höher, um die Schwachstelle zu beheben. Dieses Update behebt die Art und Weise, wie die Authentifizierung behandelt wird, und beseitigt die Möglichkeit, Autorisierungsheader zu fälschen und auf geschützte Routen ohne Authentifizierung zuzugreifen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39411 is an Authentication Bypass vulnerability in @lobehub/lobehub where an attacker can forge authentication tokens due to a hardcoded XOR key, bypassing authentication on protected webapi routes.
You are affected if you are using a version of @lobehub/lobehub prior to 2.1.48 and rely on its authentication mechanisms for protected webapi routes.
Upgrade to version 2.1.48 or later of @lobehub/lobehub. Consider implementing WAF rules to filter suspicious X-lobe-chat-auth headers as a temporary mitigation.
While there is no confirmed active exploitation at this time, the ease of exploitation suggests a medium probability of exploitation and the potential for public PoC code.
Refer to the official @lobehub/lobehub repository and release notes for the advisory and detailed information regarding the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.