What is CVE-2026-39411?

CVE-2026-39411 is a medium-severity vulnerability in Lobehub, classified under Improper Authentication. CVSS score: 5.0/10. Published 2026-04-08.

How severe is CVE-2026-39411?

Medium severity. CVSS v3 base score is 5.0 out of 10.

Auth bypass in Lobehub

CVE-2026-39411

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated…

Vulnerability class: Broken Authentication

EPSS: 0.000 (7.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.0 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L.

Affected products

Lobehub — versions < 2.1.48

Weakness classification (CWE)

References

https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97 (x_refsource_CONFIRM)
https://github.com/lobehub/lobehub/pull/13535 (x_refsource_MISC)
https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428 (x_refsource_MISC)
https://github.com/lobehub/lobehub/releases/tag/v2.1.48 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-39411?: CVE-2026-39411 is a medium-severity vulnerability in Lobehub, classified under Improper Authentication. CVSS score: 5.0/10. Published 2026-04-08.
How severe is CVE-2026-39411?: Medium severity. CVSS v3 base score is 5.0 out of 10.