XOR Authentication Bypass in LobeHub WebAPI
CVE-2026-39411

5MEDIUM

Key Information:

Vendor

Lobehub

Status
Lobehub
Vendor
CVE Published:
8 April 2026

What is CVE-2026-39411?

LobeHub, a collaborative work-and-lifestyle platform, contains a vulnerability in its webapi authentication layer present in versions prior to 2.1.48. The flaw stems from the acceptance of a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, which can be exploited by an attacker to forge authentication payloads. This allows unauthorized access to protected webapi routes including /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui. The hardcoded XOR key in the repository further exacerbates this risk. The issue has been addressed in version 2.1.48.

Affected Version(s)

lobehub < 2.1.48

References

https://github.com/lobehub/lobehub/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/lobehub/lobehub/pull/13535
x_refsource_MISC
https://github.com/lobehub/lobehub/commit/3327b293d66c013...
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.