Home Embedded Vulns General Vulns

CVE-2026-39411

MEDIUM 5.0

Our Analysis: Environment Specific

Our model has classified this vulnerability as relevant to Environment Specific Systems, helping your team prioritize efforts effectively.

Published Date April 8, 2026
Last Modified April 8, 2026
CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes. Affected routes include /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui. This vulnerability is fixed in 2.1.48.

Potentially Affected Vendors