Scanner gratuitement
MEDIUMCVE-2026-39411CVSS 5

LobeHub: Contournement d'authentification non authentifié sur les routes `webapi` via un en-tête `X-lobe-chat-auth` falsifiable

Plateforme

nodejs

Composant

@lobehub/lobehub

Corrigé dans

2.1.49

2.1.48

AI Confidence: highNVDEPSS 0.0%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2026-39411 describes an Authentication Bypass vulnerability within the @lobehub/lobehub library. This flaw allows attackers to bypass authentication mechanisms by manipulating the X-lobe-chat-auth header, potentially granting unauthorized access to sensitive resources. The vulnerability affects versions prior to 2.1.48 and has been publicly disclosed on 2026-04-08. A fix is available in version 2.1.48.

Impact et Scénarios d'Attaquetraduction en cours…

The core of this vulnerability lies in the inadequate authentication of the X-lobe-chat-auth header. This header is intended to authenticate requests to the webapi layer, but the implementation relies on a simple XOR obfuscation using a hardcoded key. Because the key is publicly available within the repository, attackers can easily calculate the XOR value for arbitrary JSON payloads, effectively forging valid authentication tokens. This allows them to bypass authentication and access protected routes, including POST /webapi/chat/[provider], GET /webapi/models/[provider], POST /webapi/models/[provider]/pull, and POST /webapi/create-image/comfyui. Successful exploitation could lead to unauthorized access to model data, chat logs, and the ability to trigger image creation processes, potentially impacting data confidentiality and integrity.

Contexte d'Exploitationtraduction en cours…

CVE-2026-39411 is not currently listed on KEV or EPSS. Given the ease of exploitation due to the hardcoded XOR key, the probability of exploitation is considered medium. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's nature and the availability of the XOR key. The vulnerability was publicly disclosed on 2026-04-08.

Qui Est à Risquetraduction en cours…

Applications and services utilizing the @lobehub/lobehub library in their authentication flow are at risk. This includes projects that rely on the library for managing chat interactions, model access, and image creation. Shared hosting environments where multiple applications share the same @lobehub/lobehub installation are particularly vulnerable, as a compromise in one application could potentially affect others.

Étapes de Détectiontraduction en cours…

• nodejs / server:

  npm list @lobehub/lobehub

• nodejs / server:

  npm audit @lobehub/lobehub

• generic web: Inspect HTTP requests for the X-lobe-chat-auth header. Look for unusual or unexpected values. Check access logs for requests to /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui with potentially forged authentication headers.

Chronologie de l'Attaque

  1. Disclosure

    disclosure

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée
Rapports1 rapport de menace

EPSS

0.02% (percentile 5%)

CISA SSVC

Exploitationpoc
Automatisableno
Impact Techniquepartial

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L5.0MEDIUMAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityHighConditions requises pour exploiterPrivileges RequiredLowNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityLowRisque d'exposition de données sensiblesIntegrityLowRisque de modification non autorisée de donnéesAvailabilityLowRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Élevée — nécessite une condition de course, configuration non standard ou circonstances spécifiques.
Privileges Required
Faible — tout compte utilisateur valide est suffisant.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Faible — accès partiel ou indirect à certaines données.
Integrity
Faible — l'attaquant peut modifier certaines données avec un impact limité.
Availability
Faible — déni de service partiel ou intermittent.

Logiciel Affecté

Composant@lobehub/lobehub
Fournisseurosv
Plage affectéeCorrigé dans
< 2.1.48 – < 2.1.482.1.49
2.1.48

Classification de Faiblesse (CWE)

CWE-287CWE-290CWE-345

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2026-39411 is to upgrade to version 2.1.48 or later of the @lobehub/lobehub library. This version incorporates a more robust authentication mechanism that eliminates the reliance on the vulnerable XOR obfuscation. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests with suspicious X-lobe-chat-auth headers. Specifically, look for headers containing unusual characters or patterns that deviate from expected values. Additionally, review and restrict access to the affected webapi endpoints to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to access protected webapi routes with a forged X-lobe-chat-auth header – the request should be rejected.

Comment corriger

Mettez à jour LobeHub à la version 2.1.48 ou ultérieure pour atténuer la vulnérabilité. Cette mise à jour corrige la façon dont l'authentification est gérée, éliminant la possibilité de falsifier les en-têtes d'autorisation et d'accéder aux routes protégées sans authentification.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2026-39411 — Authentication Bypass in @lobehub/lobehub?

CVE-2026-39411 is an Authentication Bypass vulnerability in @lobehub/lobehub where an attacker can forge authentication tokens due to a hardcoded XOR key, bypassing authentication on protected webapi routes.

Am I affected by CVE-2026-39411 in @lobehub/lobehub?

You are affected if you are using a version of @lobehub/lobehub prior to 2.1.48 and rely on its authentication mechanisms for protected webapi routes.

How do I fix CVE-2026-39411 in @lobehub/lobehub?

Upgrade to version 2.1.48 or later of @lobehub/lobehub. Consider implementing WAF rules to filter suspicious X-lobe-chat-auth headers as a temporary mitigation.

Is CVE-2026-39411 being actively exploited?

While there is no confirmed active exploitation at this time, the ease of exploitation suggests a medium probability of exploitation and the potential for public PoC code.

Where can I find the official @lobehub/lobehub advisory for CVE-2026-39411?

Refer to the official @lobehub/lobehub repository and release notes for the advisory and detailed information regarding the fix.

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE