CVE-2026-54157
published 2026-06-23CVE-2026-54157: LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on…
PriorityP263critical9CVSS 3.1
AVNACLPRHUINSCCHILAH
EXPLOIT
EPSS
1.78%
75.5th percentile
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lobehub | lobehub | < 2.1.57 | 2.1.57 |
| lobehub | lobehub | >= 0 < 2.1.57 | 2.1.57 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to the /webapi/proxy endpoint; any request to this path without authentication should be treated as suspicious SSRF activity. ↗
- →Detect reflected Set-Cookie headers in responses originating from the /webapi/proxy endpoint, which may indicate cookie injection attempts on the lobehub.com domain. ↗
- →Alert on outbound requests from LobeHub infrastructure to Interactsh callback servers, which are commonly used by attackers to confirm SSRF exploitation.
- →Flag any POST body to /webapi/proxy containing internal/cloud-metadata URLs (e.g., 169.254.169.254, Vercel internal endpoints) to detect attempts to leak deployment details. ↗
- ·The vulnerability is fixed in version 2.1.57; instances running versions prior to 2.1.57 are affected. Verify deployed version before relying solely on detection. ↗
- ·The SSRF endpoint requires no authentication, meaning any unauthenticated actor can trigger outbound requests; detection rules should not filter on authenticated sessions. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
ghsa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
LobeHub LobeChat <= 2.1.56 - Server-Side Request Forgery
nuclei·CVSS 9.0
CVE-2026-54157 [CRITICAL] LobeHub LobeChat <= 2.1.56 - Server-Side Request Forgery
LobeHub LobeChat Interactsh Server ")'
condition: and
# digest: 490a004630440220456386f9f8238a9b281d600af23dbe337e5ccbf20ff41f31faf8ebcee284dc2e02207acf981f4d5aa4f652928dd4137262f3582b99740c3bdc2af6f3096be31adfbd:922c64590222798bb761d5b6d8e72950
2026-06-23
Published