cbcvebase.
CVE-2026-54157
published 2026-06-23

CVE-2026-54157: LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on…

PriorityP263critical9CVSS 3.1
AVNACLPRHUINSCCHILAH
EXPLOIT
EPSS
1.78%
75.5th percentile
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.

Affected

2 ranges
VendorProductVersion rangeFixed in
lobehublobehub< 2.1.572.1.57
lobehublobehub>= 0 < 2.1.572.1.57

Detection & IOCsextracted from sources · hover to see the quote

url/webapi/proxy
  • Monitor for unauthenticated POST requests to the /webapi/proxy endpoint; any request to this path without authentication should be treated as suspicious SSRF activity.
  • Detect reflected Set-Cookie headers in responses originating from the /webapi/proxy endpoint, which may indicate cookie injection attempts on the lobehub.com domain.
  • Alert on outbound requests from LobeHub infrastructure to Interactsh callback servers, which are commonly used by attackers to confirm SSRF exploitation.
  • Flag any POST body to /webapi/proxy containing internal/cloud-metadata URLs (e.g., 169.254.169.254, Vercel internal endpoints) to detect attempts to leak deployment details.
  • ·The vulnerability is fixed in version 2.1.57; instances running versions prior to 2.1.57 are affected. Verify deployed version before relying solely on detection.
  • ·The SSRF endpoint requires no authentication, meaning any unauthenticated actor can trigger outbound requests; detection rules should not filter on authenticated sessions.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
ghsa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.