Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with low-privilege auth (PR:L) and no UI; SSRF reaches other internal systems so scope changes (S:C) with high confidentiality but no integrity/availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints, which use the global fetch without the project's ssrf-safe-fetch wrapper. Attackers can target internal addresses such as cloud instance metadata endpoints through these unprotected code paths to disclose internal service responses and cloud credentials.
AnalysisAI
Server-side request forgery in LobeChat before 2.2.10-canary.18 lets authenticated users coerce the server into issuing internal HTTP requests to attacker-chosen URLs, enabling disclosure of internal service responses and cloud credentials from instance metadata endpoints. The flaw stems from two endpoints - skill import (importFromUrl) and topic cover update (fetchImageFromUrl) - calling the global fetch instead of the project's ssrf-safe-fetch wrapper. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated LobeChat account (CVSS PR:L) and network reachability to the LobeChat server. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:H) scores 8.3 (High) and is internally consistent with the description: network-reachable, low complexity, requires low privileges (an authenticated account), no user interaction, high confidentiality impact on both the vulnerable system and a subsequent system (the internal service whose data is exfiltrated). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses an existing low-privilege LobeChat account and calls the skill import (importFromUrl) or topic cover update (fetchImageFromUrl) feature, supplying a URL pointing at the cloud metadata service (http://169.254.169.254/latest/meta-data/iam/security-credentials/). The server fetches that internal URL with the unprotected global fetch and returns the response, leaking temporary IAM credentials or internal service data to the attacker. … |
| Remediation | Upgrade to LobeChat 2.2.10-canary.18 or later, which routes the affected endpoints through the ssrf-safe-fetch wrapper (see fixing PR https://github.com/lobehub/lobehub/pull/16601 and advisory https://www.vulncheck.com/advisories/lobechat-canary-18-ssrf-via-importfromurl-and-fetchimagefromurl). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all LobeChat deployments and document their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by impor
Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' document
Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate c
Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticate
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41426
GHSA-r2cx-cpfx-9h63