Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
Vulnerability Description
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes. Affected routes include /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui. This vulnerability is fixed in 2.1.48.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
认证机制不恰当
Vulnerability Title
LobeHub 安全漏洞
Vulnerability Description
LobeHub是LobeHub开源的一个全平台AI对话框架。 LobeHub 2.1.48之前版本存在安全漏洞,该漏洞源于WebAPI身份验证层信任仅经过XOR混淆的客户端控制标头,可能导致攻击者伪造任意身份验证有效载荷并绕过受保护路由的身份验证。
CVSS Information
N/A
Vulnerability Type
N/A