CVE-2026-39411
Authentication Bypass in LobeHub WebAPI via Forged XOR Header
Publication date: 2026-04-08
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lobehub | lobehub | to 2.1.48 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39411 is an authentication bypass vulnerability in LobeHub's web API prior to version 2.1.48. The issue arises because the authentication mechanism relies on a client-controlled HTTP header called X-lobe-chat-auth, which is only XOR-obfuscated using a hardcoded static key rather than being cryptographically signed or properly authenticated.
Because the XOR key is hardcoded and publicly accessible, an attacker can forge arbitrary authentication payloads by XOR-ing JSON data (such as {"apiKey":"x","userId":"victim-id"}) with this key. The backend then decodes and trusts this data without verifying its legitimacy, allowing attackers to bypass authentication and impersonate other users.
Affected API routes include chat, model listing, model pulling, and image creation endpoints. The vulnerability was fixed in version 2.1.48 by removing the insecure XOR obfuscation mechanism and requiring proper server-validated sessions or OIDC tokens for authentication.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to bypass authentication entirely and gain unauthorized access to protected web API routes.
- Attackers can impersonate other users by specifying arbitrary user IDs.
- They can misuse server-side model provider credentials, such as OpenAI API keys, if configured.
- Attackers can perform privileged backend operations including chat interactions, model listing, model pulls, and image generation.
Overall, this leads to unauthorized data access, potential data manipulation, and misuse of backend resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the affected LobeHub web API routes for the presence of the client-controlled `X-lobe-chat-auth` header containing XOR-obfuscated authentication payloads. Since the XOR key is hardcoded and publicly known, an attacker can forge this header to bypass authentication.
To detect potential exploitation attempts, you can inspect incoming requests to the following API endpoints for suspicious or forged `X-lobe-chat-auth` headers:
- POST /webapi/chat/[provider]
- GET /webapi/models/[provider]
- POST /webapi/models/[provider]/pull
- POST /webapi/create-image/comfyui
You can use network traffic inspection tools like tcpdump, Wireshark, or HTTP proxy logs to filter requests containing the `X-lobe-chat-auth` header. For example, using tcpdump to capture HTTP headers on port 80 or 443 (if unencrypted) might look like:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-lobe-chat-auth'
If HTTPS is used, inspecting decrypted traffic via a proxy or server logs that record headers is necessary.
Additionally, checking server logs for authentication bypass attempts or unusual access patterns to the affected routes may help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade LobeHub to version 2.1.48 or later, where this vulnerability is fixed by removing the insecure XOR obfuscation authentication mechanism and the legacy `apiKey` fallback.
If upgrading immediately is not possible, consider the following temporary mitigations:
- Block or filter incoming requests containing the `X-lobe-chat-auth` header at the network or application firewall level.
- Restrict access to the affected API routes (`/webapi/chat/[provider]`, `/webapi/models/[provider]`, `/webapi/models/[provider]/pull`, `/webapi/create-image/comfyui`) to trusted networks or authenticated users only.
- Monitor logs for suspicious activity and revoke any compromised API keys or user sessions.
Long-term remediation involves enforcing proper server-validated sessions or OIDC tokens for authentication and discontinuing reliance on client-supplied, unsigned authentication headers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to bypass authentication and impersonate users, gaining unauthorized access to protected web API routes and sensitive data such as provider API keys.
Such unauthorized access and impersonation can lead to breaches of confidentiality and integrity of user data, which may violate data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal and sensitive information.
By failing to properly authenticate users and protect API keys, the vulnerability undermines compliance with standards mandating secure authentication mechanisms and data access restrictions.
The fix implemented removes the insecure XOR-based authentication and enforces server-validated sessions or OIDC tokens, thereby improving security posture and helping to meet compliance requirements.