CVE-2026-39411

EPSS 0.02%
Veröffentlicht 08.04.2026 19:37:43
Zuletzt bearbeitet 20.04.2026 15:03:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes. Affected routes include /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui. This vulnerability is fixed in 2.1.48.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lobehub ≫ Lobehub SwPlatformnode.js Version < 2.1.48

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.053

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
security-advisories@github.com	5	1.6	3.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97

Vendor Advisory

https://github.com/lobehub/lobehub/pull/13535

Issue Tracking

https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428

Patch

https://github.com/lobehub/lobehub/releases/tag/v2.1.48

Product

https://nvd.nist.gov/vuln/detail/CVE-2026-39411

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39411

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39411

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39411