Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes.
Affected routes include:
POST /webapi/chat/[provider]GET /webapi/models/[provider]POST /webapi/models/[provider]/pullPOST /webapi/create-image/comfyui
Details
The frontend creates X-lobe-chat-auth by XOR-obfuscating JSON with the static key LobeHub · LobeHub, and the backend reverses that operation and treats the decoded JSON as trusted authentication data.
The backend then accepts any truthy apiKey field in that decoded payload as sufficient authentication. No real API key validation is performed in this path.
As a result, an unauthenticated attacker can forge payloads such as:
{"apiKey":"x"}or
and access webapi routes as an authenticated user.
Confirmed PoC
The following forged header was generated directly from the published XOR key using payload {"apiKey":"x"}:
That header decodes server-side to:
A simple request is:
-H 'X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8=' `
If the deployment has OPENAI_API_KEY configured, the request should succeed without a real login and return the provider model list.
A forged impersonation payload also works conceptually:
### Impact
This is an unauthenticated authentication bypass.
An attacker can:
1. access protected webapi routes without a valid session
2. spend the deployment's server-side model provider credentials when env keys like OPENAI_API_KEY are configured
3. impersonate another user's userId for routes that load per-user provider configuration
4. invoke privileged backend model operations such as chat, model listing, model pulls, and ComfyUI image generation
### Root Cause
The core issue is trusting unsigned client-supplied auth data:
1. the auth header is only obfuscated, not authenticated
2. the obfuscation key is hardcoded and recoverable from the repository
3. the decoded apiKey field is treated as sufficient authentication even though it is never validated in this code path
4. Suggested Remediation
5. Stop treating X-lobe-chat-auth as an authentication token.
6. Remove the apiKey truthiness check as an auth decision.
7. Require a real server-validated session, OIDC token, or validated API key for all protected webapi routes.
8. If a client payload is still needed, sign it server-side with an HMAC or replace it with a normal session-bound backend lookup.
9. Affected Products
Ecosystem: npm
Package name: @lobehub/lobehub
Affected versions: <= 2.1.47
Patched versions: 2.1.48
Severity
Moderate
Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses
CWE-287: Improper Authentication
CWE-345: Insufficient Verification of Data Authenticity
CWE-290: Authentication Bypass by SpoofingAnalysisAI
Authentication bypass in LobeHub webapi allows unauthenticated attackers to forge X-lobe-chat-auth headers using a publicly disclosed XOR key, gaining unauthorized access to protected routes including chat, model listing, and image generation endpoints. The vulnerability affects LobeHub versions up to 2.1.47 and has a confirmed proof-of-concept; however, the CVSS vector indicates PR:L (low privilege required), suggesting the advertised attack may require some initial authentication. Vendor-released patch version 2.1.48 is available.
Technical ContextAI
LobeHub's webapi authentication layer implements a flawed custom scheme where frontend clients XOR-obfuscate JSON authentication payloads using a static hardcoded key ('LobeHub · LobeHub') stored in the repository source code. The backend decodes this XOR-obfuscated X-lobe-chat-auth header and treats the resulting JSON-specifically any truthy apiKey field-as sufficient proof of authentication without cryptographic verification or signature validation. This is a fundamental misuse of symmetric obfuscation as an authentication mechanism; obfuscation without signing or authentication tags provides no security boundary when the key is public. The affected routes (POST /webapi/chat/[provider], GET /webapi/models/[provider], POST /webapi/models/[provider]/pull, POST /webapi/create-image/comfyui) are protected by this broken scheme, allowing attackers to fabricate arbitrary payloads and inject forged userId values to impersonate other users or consume server-side API credentials configured via environment variables such as OPENAI_API_KEY.
RemediationAI
Upgrade to LobeHub version 2.1.48 or later (https://github.com/lobehub/lobehub/releases/tag/v2.1.48). The patch implements proper session-based or OIDC token validation for webapi routes and removes reliance on XOR-obfuscated headers as authentication. For deployments unable to upgrade immediately, disable or restrict network access to /webapi/* endpoints, implement WAF rules to block X-lobe-chat-auth headers not bound to valid server-side sessions, and rotate any server-side provider API credentials (OPENAI_API_KEY, etc.) that may have been exposed. See patch details in https://github.com/lobehub/lobehub/pull/13535 and https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20598
GHSA-5mwj-v5jw-5c97