CVE 9 CRITICAL

LobeHub: Unauthenticated SSRF in `/webapi/proxy`_CVE-2026-54157

June 23, 2026 invoker category_cve

9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Description

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.

AI Analysis

Unauthenticated Server-Side Request Forgery (SSRF) vulnerability in LobeHub's /webapi/proxy endpoint, allowing arbitrary outbound requests and potential cookie injection.

Basic Information

ID CVE-2026-54157

Source GitHub_M

Published Jun 23, 2026 at 17:43

Affected Product

Vendor lobehub

Product lobehub

Version < 2.1.57

Affected Versions lobehub lobehub < 2.1.57

CWE Classification

CWE-918

AI Assessment

AI Score 9 / 10

AI Severity Critical

Vendor LobeHub

Product LobeHub

Version < 2.1.57

References

github.com /lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346

{
    "lastseen": "",
    "description": "LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.",
    "published": "2026-06-23T17:43:06.473Z",
    "modified": "2026-06-23T17:43:06.473Z",
    "type": "cve",
    "title": "LobeHub: Unauthenticated SSRF in `/webapi/proxy`",
    "source": "GitHub_M",
    "references": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346",
    "id": "CVE-2026-54157",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "lobehub lobehub < 2.1.57",
    "sourceHref": "",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "lobehub",
    "version": "< 2.1.57",
    "vendor": "lobehub",
    "ai_description": "Unauthenticated Server-Side Request Forgery (SSRF) vulnerability in LobeHub's /webapi/proxy endpoint, allowing arbitrary outbound requests and potential cookie injection.",
    "ai_severity": "Critical",
    "ai_vendor": "LobeHub",
    "ai_product": "LobeHub",
    "ai_version": "< 2.1.57",
    "ai_score": 9
}

💭 Join the Security Discussion ❌ Cancel Reply