1  info:
 2    name: LobeChat
 3    cve: CVE-2026-39411
 4    summary: LobeHub (LobeChat) webapi authentication bypass via forged X-lobe-chat-auth header
 5    details: >-
 6      LobeHub (formerly LobeChat) prior to version 2.1.48 contains an authentication bypass
 7      vulnerability in its webapi layer. The authentication mechanism trusts a client-controlled
 8      X-lobe-chat-auth header that is only XOR-obfuscated with a hardcoded key in the repository,
 9      rather than cryptographically signed. An attacker can forge arbitrary auth payloads to bypass
10      authentication on protected webapi routes including /webapi/chat/[provider],
11      /webapi/models/[provider], /webapi/models/[provider]/pull, and
12      /webapi/create-image/comfyui. This allows unauthorized access to LLM provider APIs and
13      image generation endpoints. The vulnerability is fixed in version 2.1.48.
14    cvss: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
15    severity: MEDIUM
16    security_advise: Upgrade LobeHub/LobeChat to version 2.1.48 or later. The fix replaces
17      the XOR-obfuscated auth header with a properly signed and authenticated mechanism.
18    references:
19      - https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97
20      - https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428
21      - https://github.com/lobehub/lobehub/releases/tag/v2.1.48
22  rule: version < "2.1.48"
23  references:
24    - https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97
25    - https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428
26    - https://github.com/lobehub/lobehub/releases/tag/v2.1.48