What happened
Prior to LobeHub 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make arbitrary server-side requests to internal networks, cloud metadata endpoints (e.g. AWS IMDS), and other internal services. CVSS 9.0 Critical, published 2026-06-23.
Why it matters
LobeHub is a popular AI agent platform (hundreds of thousands of users). The unauthenticated SSRF on its cloud-hosted service allows attackers to reach cloud infrastructure metadata services, exfiltrate IAM credentials, and pivot to internal AI infrastructure — including model endpoints, vector databases, and agent tool backends.
Attack vector
Unauthenticated POST to /webapi/proxy with attacker-controlled URL in request body; server fetches the URL, enabling SSRF to internal services and cloud metadata endpoints
Affected systems
LobeHub < 2.1.57
Mitigation
Upgrade to LobeHub 2.1.57. Advisory: https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346