LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

Severity:: Medium

Description

The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes.

Recommendation

Update the @lobehub/lobehub package to the latest compatible version. Followings are version details:

Affected version(s): <= 2.1.47
Patched version(s): 2.1.48

References

GHSA-5mwj-v5jw-5c97
CVE-2026-39411
CWE-287
CWE-290
CWE-345
CAPEC-310
OWASP 2021-A6
OWASP 2021-A7
OWASP 2021-A8

Related Issues

SillyTavern has Authentication Bypass via SSO Header Injection - CVE-2026-44649
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass - CVE-2026-45577
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947
Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409

How do hackers hack websites?

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:: npm; @lobehub/lobehub

Anything's wrong? Let us know Last updated on April 09, 2026