CVE-2026-42045 Overview
CVE-2026-42045 affects LobeHub's LobeChat, a collaborative agent platform, in versions prior to 2.1.48. The vulnerability chains a Cross-Site Scripting (XSS) flaw [CWE-79] in the artifact renderer with an unsafe Electron Inter-Process Communication (IPC) handler. The renderer at src/features/Portal/Artifacts/Body/Renderer/index.tsx falls back to HTMLRenderer when a custom tag type does not match, allowing attacker-controlled Large Language Model (LLM) output to inject executable HTML. The Electron main process exposes a runCommand IPC method without parameter filtering. An attacker who triggers the XSS can reach window.parent.electronAPI and execute arbitrary system commands with the current user's privileges.
Critical Impact
Successful exploitation pivots a client-side XSS into arbitrary command execution on the host operating system through the Electron desktop client.
Affected Products
- LobeHub LobeChat versions prior to 2.1.48
- LobeChat Electron desktop client exposing the runCommand IPC interface
- Deployments where LLM output is rendered through the Artifacts renderer
Discovery Timeline
- 2026-05-12 - CVE-2026-42045 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42045
Vulnerability Analysis
The flaw resides in how LobeChat renders model-generated artifacts. The renderer at src/features/Portal/Artifacts/Body/Renderer/index.tsx selects a handler based on the custom tag type. When no match exists, control falls through to HTMLRenderer, which interprets the content as raw HTML. An attacker who can influence model output, through prompt injection or a malicious shared session, can plant <script> payloads or event handlers that execute in the client context.
The XSS becomes a remote code execution primitive inside the Electron desktop client. The main process registers an IPC channel named runCommand that forwards its argument to a system command execution function without sanitization or allowlisting. Renderer code reaches this channel through window.parent.electronAPI. Once script execution is achieved in the renderer, the attacker invokes runCommand and the ipcMain handler runs the supplied command with the privileges of the logged-in user.
Root Cause
Two defects combine. First, the renderer uses an unsafe default path that treats unknown artifact types as trusted HTML. Second, the Electron IPC surface exposes a command execution primitive to the renderer without filtering, allowlisting, or argument validation, violating the principle of least privilege between renderer and main process.
Attack Vector
The attack requires user interaction and high privileges, consistent with a scenario where an authenticated user opens or renders attacker-influenced content. The attacker conditions the LLM to emit a custom tag containing a malicious HTML payload. Rendering the artifact executes the payload, which then calls window.parent.electronAPI.runCommand to spawn arbitrary processes on the host.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-xq4x-622m-q8fq for technical details from the maintainers.
Detection Methods for CVE-2026-42045
Indicators of Compromise
- Unexpected child processes spawned by the LobeChat Electron binary, such as cmd.exe, powershell.exe, /bin/sh, or bash
- Outbound network connections initiated by processes parented to the LobeChat desktop client immediately after artifact rendering
- Renderer logs or browser console entries showing custom artifact tags falling through to HTMLRenderer
Detection Strategies
- Hunt for process trees where the LobeChat desktop application is the parent of shell interpreters or scripting hosts
- Inspect stored conversation artifacts for <script> tags, inline event handlers, or references to electronAPI and runCommand
- Alert on file writes, scheduled task creation, or persistence artifacts created shortly after LobeChat process activity
Monitoring Recommendations
- Enforce endpoint telemetry on Electron-based applications to capture command line arguments of child processes
- Track installed LobeChat versions across the fleet and flag any instance below 2.1.48
- Monitor IPC and renderer logs in development and staging environments for unmatched artifact tag types
How to Mitigate CVE-2026-42045
Immediate Actions Required
- Upgrade LobeChat to version 2.1.48 or later on all desktop and server installations
- Audit existing conversations and shared sessions for malicious artifacts before re-rendering historical content
- Restrict the LobeChat desktop client to non-privileged user accounts to limit blast radius from command execution
Patch Information
LobeHub addressed the vulnerability in LobeChat 2.1.48. The fix removes the unsafe HTML fallback in the artifact renderer and constrains the runCommand IPC surface. Reference the GitHub Security Advisory GHSA-xq4x-622m-q8fq for commit-level details and upgrade instructions.
Workarounds
- Avoid using the LobeChat Electron desktop client until upgrade is complete and prefer the web client where IPC exposure does not apply
- Disable or proxy untrusted LLM providers that could be coerced into emitting custom artifact tags with embedded HTML
- Apply operating system level application control to block the LobeChat process from spawning shell interpreters
# Verify the installed LobeChat version meets the patched release
npm ls @lobehub/chat
# Expected output should show version 2.1.48 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
