GHSA-5MWJ-V5JW-5C97

Vulnerability from github – Published: 2026-04-08 15:04 – Updated: 2026-04-09 14:28
VLAI?
Summary
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
Details

Summary

The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes.

Affected routes include: - POST /webapi/chat/[provider] - GET /webapi/models/[provider] - POST /webapi/models/[provider]/pull - POST /webapi/create-image/comfyui

Details

The frontend creates X-lobe-chat-auth by XOR-obfuscating JSON with the static key LobeHub · LobeHub, and the backend reverses that operation and treats the decoded JSON as trusted authentication data.

The backend then accepts any truthy apiKey field in that decoded payload as sufficient authentication. No real API key validation is performed in this path.

As a result, an unauthenticated attacker can forge payloads such as:

{"apiKey":"x"}

or

{"userId":"victim-user-123","apiKey":"x"}

and access webapi routes as an authenticated user.

Confirmed PoC The following forged header was generated directly from the published XOR key using payload {"apiKey":"x"}:

X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8=

That header decodes server-side to:

{"apiKey":"x"}

A simple request is:

curl 'https://TARGET/webapi/models/openai' \ -H 'X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8='

If the deployment has OPENAI_API_KEY configured, the request should succeed without a real login and return the provider model list.

A forged impersonation payload also works conceptually:

{"userId":"victim-user-123","apiKey":"x"}

Impact

This is an unauthenticated authentication bypass.

An attacker can:

  1. access protected webapi routes without a valid session
  2. spend the deployment's server-side model provider credentials when env keys like OPENAI_API_KEY are configured
  3. impersonate another user's userId for routes that load per-user provider configuration
  4. invoke privileged backend model operations such as chat, model listing, model pulls, and ComfyUI image generation

Root Cause

The core issue is trusting unsigned client-supplied auth data:

  1. the auth header is only obfuscated, not authenticated
  2. the obfuscation key is hardcoded and recoverable from the repository
  3. the decoded apiKey field is treated as sufficient authentication even though it is never validated in this code path
  4. Suggested Remediation
  5. Stop treating X-lobe-chat-auth as an authentication token.
  6. Remove the apiKey truthiness check as an auth decision.
  7. Require a real server-validated session, OIDC token, or validated API key for all protected webapi routes.
  8. If a client payload is still needed, sign it server-side with an HMAC or replace it with a normal session-bound backend lookup.
  9. Affected Products

Ecosystem: npm

Package name: @lobehub/lobehub Affected versions: <= 2.1.47 Patched versions: 2.1.48

Severity Moderate Vector String CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Weaknesses CWE-287: Improper Authentication CWE-345: Insufficient Verification of Data Authenticity CWE-290: Authentication Bypass by Spoofing

Severity ?
5.0 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.47"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@lobehub/lobehub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-290",
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T15:04:30Z",
    "nvd_published_at": "2026-04-08T20:16:25Z",
    "severity": "MODERATE"
  },
  "details": "# Summary\n\nThe `webapi` authentication layer trusts a client-controlled `X-lobe-chat-auth` header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected `webapi` routes.\n\nAffected routes include:\n- `POST /webapi/chat/[provider]`\n- `GET /webapi/models/[provider]`\n- `POST /webapi/models/[provider]/pull`\n- `POST /webapi/create-image/comfyui`\n\n## Details\n\nThe frontend creates `X-lobe-chat-auth` by XOR-obfuscating JSON with the static key `LobeHub \u00b7 LobeHub`, and the backend reverses that operation and treats the decoded JSON as trusted authentication data.\n\nThe backend then accepts any truthy `apiKey` field in that decoded payload as sufficient authentication. No real API key validation is performed in this path.\n\nAs a result, an unauthenticated attacker can forge payloads such as:\n\n```json\n{\"apiKey\":\"x\"} \n```\n\nor \n\n``` {\"userId\":\"victim-user-123\",\"apiKey\":\"x\"} ```\n\nand access webapi routes as an authenticated user.\n\nConfirmed PoC\nThe following forged header was generated directly from the published XOR key using payload {\"apiKey\":\"x\"}:\n\n\n``` X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8= ```\n\nThat header decodes server-side to:\n\n``` {\"apiKey\":\"x\"}```\n\nA simple request is:\n\n``` curl \u0027https://TARGET/webapi/models/openai\u0027 \\\n  -H \u0027X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8=\u0027 ``` \n\nIf the deployment has OPENAI_API_KEY configured, the request should succeed without a real login and return the provider model list.\n\nA forged impersonation payload also works conceptually:\n\n``` {\"userId\":\"victim-user-123\",\"apiKey\":\"x\"} ``` \n\n### Impact\nThis is an unauthenticated authentication bypass.\n\nAn attacker can:\n\n1. access protected webapi routes without a valid session\n2. spend the deployment\u0027s server-side model provider credentials when env keys like OPENAI_API_KEY are configured\n3. impersonate another user\u0027s userId for routes that load per-user provider configuration\n4. invoke privileged backend model operations such as chat, model listing, model pulls, and ComfyUI image generation\n\n### Root Cause\nThe core issue is trusting unsigned client-supplied auth data:\n\n1. the auth header is only obfuscated, not authenticated\n2. the obfuscation key is hardcoded and recoverable from the repository\n3. the decoded apiKey field is treated as sufficient authentication even though it is never validated in this code path\n4. Suggested Remediation\n5. Stop treating X-lobe-chat-auth as an authentication token.\n6. Remove the apiKey truthiness check as an auth decision.\n7. Require a real server-validated session, OIDC token, or validated API key for all protected webapi routes.\n8. If a client payload is still needed, sign it server-side with an HMAC or replace it with a normal session-bound backend lookup.\n9. Affected Products\n\nEcosystem: npm\n\nPackage name: @lobehub/lobehub\nAffected versions: \u003c= 2.1.47\nPatched versions: 2.1.48\n\nSeverity\nModerate\nVector String\nCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L\n\nWeaknesses\nCWE-287: Improper Authentication\nCWE-345: Insufficient Verification of Data Authenticity\nCWE-290: Authentication Bypass by Spoofing",
  "id": "GHSA-5mwj-v5jw-5c97",
  "modified": "2026-04-09T14:28:56Z",
  "published": "2026-04-08T15:04:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39411"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lobehub/lobehub/pull/13535"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lobehub/lobehub"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lobehub/lobehub/releases/tag/v2.1.48"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.