CVE-2026-54157 - Vulnerability Details - OpenCVE

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346

History

Tue, 23 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.
Title		LobeHub: Unauthenticated SSRF in `/webapi/proxy`
Weaknesses		CWE-918
References		https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346
Metrics		cvssV3_1 `{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-23T17:43:06.473Z

Updated: 2026-06-23T18:28:48.372Z

Reserved: 2026-06-11T21:15:33.872Z

Link: CVE-2026-54157

Vulnrichment

Updated: 2026-06-23T18:28:43.071Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54157", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-11T21:15:33.872Z", "datePublished": "2026-06-23T17:43:06.473Z", "dateUpdated": "2026-06-23T18:28:48.372Z"}, "containers": {"cna": {"title": "LobeHub: Unauthenticated SSRF in `/webapi/proxy`", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346"}], "affected": [{"vendor": "lobehub", "product": "lobehub", "versions": [{"version": "< 2.1.57", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T17:43:06.473Z"}, "descriptions": [{"lang": "en", "value": "LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57."}], "source": {"advisory": "GHSA-xmwj-c75x-6346", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T18:28:24.152487Z", "id": "CVE-2026-54157", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T18:28:48.372Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-54157", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-23T18:28:24.152487Z"}}}], "references": [{"url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T18:28:43.071Z"}}], "cna": {"title": "LobeHub: Unauthenticated SSRF in `/webapi/proxy`", "source": {"advisory": "GHSA-xmwj-c75x-6346", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "lobehub", "product": "lobehub", "versions": [{"status": "affected", "version": "< 2.1.57"}]}], "references": [{"url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346", "name": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T17:43:06.473Z"}}}, "cveMetadata": {"cveId": "CVE-2026-54157", "state": "PUBLISHED", "dateUpdated": "2026-06-23T18:28:48.372Z", "dateReserved": "2026-06-11T21:15:33.872Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-23T17:43:06.473Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}