CVE Catalog

CVE-2026-54157

CriticalCVSS 9.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
1.78%

75th percentile — higher than 75% of all known CVEs

Summary

LobeHub prior to version 2.1.57 had a vulnerability in the /webapi/proxy endpoint that accepted a URL in the POST body without authentication. An attacker could exploit this to make arbitrary outbound requests from LobeHub's infrastructure and leak Vercel deployment details.

Risk Assessment

The organization may be exposed to unauthorized data access and XSS attacks, potentially leading to session theft and information leakage.

Recommendation

It is recommended to upgrade to version 2.1.57 or later to mitigate this vulnerability and implement additional authorization mechanisms for API endpoints.

Original NVD description (English source)

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS