CVE-2026-59095
Received Received - Intake

Server-Side Request Forgery in LobeChat

Vulnerability report for CVE-2026-59095, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints, which use the global fetch without the project's ssrf-safe-fetch wrapper. Attackers can target internal addresses such as cloud instance metadata endpoints through these unprotected code paths to disclose internal service responses and cloud credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59095 is a Server-Side Request Forgery (SSRF) vulnerability in LobeChat versions before 2.2.10-canary.18. It affects two authenticated endpoints: the skill import service (importFromUrl) and the topic cover update (fetchImageFromUrl). These endpoints use the global fetch function without the project's ssrf-safe-fetch wrapper, allowing attackers to supply arbitrary URLs.

Because of this, authenticated attackers can make the server send HTTP requests to internal addresses, including cloud instance metadata endpoints, which are normally protected. This can lead to disclosure of internal service responses and cloud credentials.

Impact Analysis

This vulnerability allows authenticated attackers to make the server perform HTTP requests to arbitrary internal URLs, potentially exposing sensitive internal data.

  • Disclosure of internal service responses.
  • Exposure of cloud credentials via access to cloud instance metadata endpoints.
  • Potential unauthorized access to internal network resources.
Detection Guidance

This vulnerability involves authenticated attackers exploiting two specific endpoints (importFromUrl and fetchImageFromUrl) in LobeChat to make server-side requests to arbitrary URLs, including internal addresses. Detection can focus on monitoring for unusual or unauthorized HTTP requests originating from these endpoints.

To detect exploitation attempts on your system or network, you can monitor HTTP logs for requests to these endpoints with suspicious or unexpected URLs, especially those targeting internal IP ranges such as 169.254.169.254 (cloud metadata service).

  • Check server logs for POST requests to endpoints like `/agentSkills.importFromUrl` and `/generationTopic.updateTopicCover` containing URLs pointing to internal IP addresses or cloud metadata endpoints.
  • Use network monitoring tools to detect outbound HTTP requests from the server to internal IP ranges or unusual destinations.
  • Example command to search logs for suspicious URLs (assuming logs are in JSON or text format):

grep -E 'importFromUrl|updateTopicCover' /path/to/server/logs | grep -E '169\.254\.169\.254|127\.0\.0\.1|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.'

Alternatively, use network packet capture tools like tcpdump or Wireshark to filter HTTP traffic from the server to internal IP ranges.

Example tcpdump command to capture HTTP requests to internal IPs:

tcpdump -i eth0 tcp and dst net 169.254.0.0/16 or dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16

Mitigation Strategies

The primary mitigation is to upgrade LobeChat to version 2.2.10-canary.18 or later, where the vulnerability has been fixed by routing the affected fetch calls through the project's `ssrf-safe-fetch` wrapper.

This fix blocks requests to private and link-local IP addresses at connection time and re-checks every redirect hop, preventing SSRF attacks targeting internal services and cloud metadata.

  • Upgrade LobeChat to version 2.2.10-canary.18 or newer.
  • Audit your codebase for any other uses of the raw global `fetch` function that might bypass SSRF protections and replace them with `ssrf-safe-fetch`.
  • If upgrading immediately is not possible, restrict access to the vulnerable endpoints (`importFromUrl` and `fetchImageFromUrl`) to trusted users only.
  • Implement network-level controls to block outgoing HTTP requests from the server to internal IP ranges or cloud metadata endpoints.

These steps will help prevent attackers from exploiting the SSRF vulnerability to access internal services or cloud credentials.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart