Skip to main content

Node.js CVE-2026-39411

| EUVDEUVD-2026-20598 MEDIUM
Improper Authentication (CWE-287)
2026-04-08 https://github.com/lobehub/lobehub GHSA-5mwj-v5jw-5c97
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 15:16 euvd
EUVD-2026-20598
Analysis Generated
Apr 08, 2026 - 15:16 vuln.today
Patch released
Apr 08, 2026 - 15:16 nvd
Patch available
CVE Published
Apr 08, 2026 - 15:04 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Summary

The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes.

Affected routes include:

  • POST /webapi/chat/[provider]
  • GET /webapi/models/[provider]
  • POST /webapi/models/[provider]/pull
  • POST /webapi/create-image/comfyui

Details

The frontend creates X-lobe-chat-auth by XOR-obfuscating JSON with the static key LobeHub · LobeHub, and the backend reverses that operation and treats the decoded JSON as trusted authentication data.

The backend then accepts any truthy apiKey field in that decoded payload as sufficient authentication. No real API key validation is performed in this path.

As a result, an unauthenticated attacker can forge payloads such as:

json
{"apiKey":"x"}

or

{"userId":"victim-user-123","apiKey":"x"} ```

and access webapi routes as an authenticated user.

Confirmed PoC
The following forged header was generated directly from the published XOR key using payload {"apiKey":"x"}:

That header decodes server-side to:

{"apiKey":"x"}```

A simple request is:

-H 'X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8=' `

If the deployment has OPENAI_API_KEY configured, the request should succeed without a real login and return the provider model list.

A forged impersonation payload also works conceptually:

{"userId":"victim-user-123","apiKey":"x"} ```
### Impact
This is an unauthenticated authentication bypass.

An attacker can:

1. access protected webapi routes without a valid session
2. spend the deployment's server-side model provider credentials when env keys like OPENAI_API_KEY are configured
3. impersonate another user's userId for routes that load per-user provider configuration
4. invoke privileged backend model operations such as chat, model listing, model pulls, and ComfyUI image generation
### Root Cause
The core issue is trusting unsigned client-supplied auth data:

1. the auth header is only obfuscated, not authenticated
2. the obfuscation key is hardcoded and recoverable from the repository
3. the decoded apiKey field is treated as sufficient authentication even though it is never validated in this code path
4. Suggested Remediation
5. Stop treating X-lobe-chat-auth as an authentication token.
6. Remove the apiKey truthiness check as an auth decision.
7. Require a real server-validated session, OIDC token, or validated API key for all protected webapi routes.
8. If a client payload is still needed, sign it server-side with an HMAC or replace it with a normal session-bound backend lookup.
9. Affected Products

Ecosystem: npm

Package name: @lobehub/lobehub
Affected versions: <= 2.1.47
Patched versions: 2.1.48

Severity
Moderate
Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Weaknesses
CWE-287: Improper Authentication
CWE-345: Insufficient Verification of Data Authenticity
CWE-290: Authentication Bypass by Spoofing

AnalysisAI

Authentication bypass in LobeHub webapi allows unauthenticated attackers to forge X-lobe-chat-auth headers using a publicly disclosed XOR key, gaining unauthorized access to protected routes including chat, model listing, and image generation endpoints. The vulnerability affects LobeHub versions up to 2.1.47 and has a confirmed proof-of-concept; however, the CVSS vector indicates PR:L (low privilege required), suggesting the advertised attack may require some initial authentication. Vendor-released patch version 2.1.48 is available.

Technical ContextAI

LobeHub's webapi authentication layer implements a flawed custom scheme where frontend clients XOR-obfuscate JSON authentication payloads using a static hardcoded key ('LobeHub · LobeHub') stored in the repository source code. The backend decodes this XOR-obfuscated X-lobe-chat-auth header and treats the resulting JSON-specifically any truthy apiKey field-as sufficient proof of authentication without cryptographic verification or signature validation. This is a fundamental misuse of symmetric obfuscation as an authentication mechanism; obfuscation without signing or authentication tags provides no security boundary when the key is public. The affected routes (POST /webapi/chat/[provider], GET /webapi/models/[provider], POST /webapi/models/[provider]/pull, POST /webapi/create-image/comfyui) are protected by this broken scheme, allowing attackers to fabricate arbitrary payloads and inject forged userId values to impersonate other users or consume server-side API credentials configured via environment variables such as OPENAI_API_KEY.

RemediationAI

Upgrade to LobeHub version 2.1.48 or later (https://github.com/lobehub/lobehub/releases/tag/v2.1.48). The patch implements proper session-based or OIDC token validation for webapi routes and removes reliance on XOR-obfuscated headers as authentication. For deployments unable to upgrade immediately, disable or restrict network access to /webapi/* endpoints, implement WAF rules to block X-lobe-chat-auth headers not bound to valid server-side sessions, and rotate any server-side provider API credentials (OPENAI_API_KEY, etc.) that may have been exposed. See patch details in https://github.com/lobehub/lobehub/pull/13535 and https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-39411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy