LobeChat before 2.2.10-canary.18 contains a server-side...
High severity
Unreviewed
Published
Jul 2, 2026
to the GitHub Advisory Database
•
Updated Jul 2, 2026
Description
Published by the National Vulnerability Database
Jul 2, 2026
Published to the GitHub Advisory Database
Jul 2, 2026
Last updated
Jul 2, 2026
LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints, which use the global fetch without the project's ssrf-safe-fetch wrapper. Attackers can target internal addresses such as cloud instance metadata endpoints through these unprotected code paths to disclose internal service responses and cloud credentials.
References