CVE-2026-59095

LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints, which use the global fetch without the project's ssrf-safe-fetch wrapper. Attackers can target internal addresses such as cloud instance metadata endpoints through these unprotected code paths to disclose internal service responses and cloud credentials.
Configurations

No configuration.

History

02 Jul 2026, 20:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-02 20:17

Updated : 2026-07-14 23:17


NVD link : CVE-2026-59095

Mitre link : CVE-2026-59095

CVE.ORG link : CVE-2026-59095


JSON object : View

Products Affected

No product.

CWE
CWE-918

Server-Side Request Forgery (SSRF)