Platform
nodejs
Component
@lobehub/lobehub
Fixed in
2.1.49
2.1.48
CVE-2026-39411 describes an Authentication Bypass vulnerability within the @lobehub/lobehub library. This flaw allows attackers to bypass authentication mechanisms by manipulating the X-lobe-chat-auth header, potentially granting unauthorized access to sensitive resources. The vulnerability affects versions prior to 2.1.48 and has been publicly disclosed on 2026-04-08. A fix is available in version 2.1.48.
The core of this vulnerability lies in the inadequate authentication of the X-lobe-chat-auth header. This header is intended to authenticate requests to the webapi layer, but the implementation relies on a simple XOR obfuscation using a hardcoded key. Because the key is publicly available within the repository, attackers can easily calculate the XOR value for arbitrary JSON payloads, effectively forging valid authentication tokens. This allows them to bypass authentication and access protected routes, including POST /webapi/chat/[provider], GET /webapi/models/[provider], POST /webapi/models/[provider]/pull, and POST /webapi/create-image/comfyui. Successful exploitation could lead to unauthorized access to model data, chat logs, and the ability to trigger image creation processes, potentially impacting data confidentiality and integrity.
CVE-2026-39411 is not currently listed on KEV or EPSS. Given the ease of exploitation due to the hardcoded XOR key, the probability of exploitation is considered medium. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's nature and the availability of the XOR key. The vulnerability was publicly disclosed on 2026-04-08.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39411 is to upgrade to version 2.1.48 or later of the @lobehub/lobehub library. This version incorporates a more robust authentication mechanism that eliminates the reliance on the vulnerable XOR obfuscation. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests with suspicious X-lobe-chat-auth headers. Specifically, look for headers containing unusual characters or patterns that deviate from expected values. Additionally, review and restrict access to the affected webapi endpoints to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to access protected webapi routes with a forged X-lobe-chat-auth header – the request should be rejected.
Update LobeHub to version 2.1.48 or later to mitigate the vulnerability. This update corrects how authentication is handled, eliminating the possibility of forging authorization headers and accessing protected routes without authentication.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39411 is an Authentication Bypass vulnerability in @lobehub/lobehub where an attacker can forge authentication tokens due to a hardcoded XOR key, bypassing authentication on protected webapi routes.
You are affected if you are using a version of @lobehub/lobehub prior to 2.1.48 and rely on its authentication mechanisms for protected webapi routes.
Upgrade to version 2.1.48 or later of @lobehub/lobehub. Consider implementing WAF rules to filter suspicious X-lobe-chat-auth headers as a temporary mitigation.
While there is no confirmed active exploitation at this time, the ease of exploitation suggests a medium probability of exploitation and the potential for public PoC code.
Refer to the official @lobehub/lobehub repository and release notes for the advisory and detailed information regarding the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.