CVE-2026-54157: LobeHub: Unauthenticated SSRF in `/webapi/proxy`

June 16, 2026

The /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. This is the same proxy code that was vulnerable in CVE-2024-32964, where /api/proxy was fixed by adding auth middleware. The /webapi/proxy route was never secured — it is the only webapi route missing the checkAuth() wrapper. An attacker can use this to make arbitrary outbound requests from LobeHub’s infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers.

References

github.com/advisories/GHSA-xmwj-c75x-6346
github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346
nvd.nist.gov/vuln/detail/CVE-2026-54157

Code Behaviors & Features

Detect and mitigate CVE-2026-54157 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →