Cyber Resilience

CVE-2026-54157

Critical

Published: 23 June 2026

Published
23 June 2026
Modified
25 June 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
EPSS Score 0.0178 75.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-54157 is a critical-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An…

more

attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers. This vulnerability is fixed in 2.1.57.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in unauthenticated public /webapi/proxy endpoint directly enables exploitation of a public-facing application (T1190) for arbitrary server-side requests, internal info leaks, and header injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References