CVE-2026-54157

CVE-2026-54157CVE-2026-54157

Description

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.

Scoring

CVSS 9.0 ()
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
Last modified2026-06-23
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.