CVE-2026-54157

Name of the Vulnerable Software and Affected Versions LobeHub versions prior to 2.1.57

Description An unauthenticated Server-Side Request Forgery (SSRF) exists in the '/webapi/proxy' endpoint. The route handler in src/app/(backend)/webapi/proxy/route.ts fails to implement the checkAuth() function, which is used by all other webapi routes to verify authentication. Consequently, the endpoint accepts a URL in the POST body and fetches it server-side without validation. This allows an attacker to make arbitrary outbound requests from the infrastructure, leak Vercel deployment details, and expose the server's egress IP. Additionally, because the proxy reflects Set-Cookie headers from the upstream server, it can be used to inject authentication cookies such as session, clerk db jwt, and client uat on the lobehub.com domain, potentially leading to session fixation.

Recommendations Update to version 2.1.57. As a temporary workaround, restrict access to the '/webapi/proxy' endpoint or disable it if it is not required for essential operations.