CVE-2026-54157
CriticalCVSS 9.0Exploitation Probability (EPSS)
High risk75th percentile — higher than 75% of all known CVEs
Summary
LobeHub prior to version 2.1.57 had a vulnerability in the /webapi/proxy endpoint that accepted a URL in the POST body without authentication. An attacker could exploit this to make arbitrary outbound requests from LobeHub's infrastructure and leak Vercel deployment details.
Risk Assessment
The organization may be exposed to unauthorized data access and XSS attacks, potentially leading to session theft and information leakage.
Recommendation
It is recommended to upgrade to version 2.1.57 or later to mitigate this vulnerability and implement additional authorization mechanisms for API endpoints.
Original NVD description (English source)
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.

