diff --git a/flocks/server/auth.py b/flocks/server/auth.py
index 7e0590425..f736898af 100644
--- a/flocks/server/auth.py
+++ b/flocks/server/auth.py
@@ -163,6 +163,8 @@ def _is_browser_like_request(request: Request) -> bool:
         return True
     if headers.get("origin"):
         return True
+    if headers.get("referer"):
+        return True
     return False
 
 
diff --git a/pyproject.toml b/pyproject.toml
index 9ea0d626b..980b2bb88 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "flocks"
-version = "v2026.4.24"
+version = "v2026.4.24.1"
 description = "AI-Native SecOps platform with multi-agent collaboration"
 authors = [
     {name = "Flocks Team", email = "team@example.com"}
diff --git a/tests/server/test_auth_compat.py b/tests/server/test_auth_compat.py
index 9640cb9a7..d39550bc6 100644
--- a/tests/server/test_auth_compat.py
+++ b/tests/server/test_auth_compat.py
@@ -152,6 +152,39 @@ async def _get_user_by_session_id(_session_id: str):
     assert "必须先修改密码" in str(exc_info.value.detail)
 
 
+@pytest.mark.asyncio
+async def test_apply_auth_for_request_treats_referer_only_remote_request_as_browser(monkeypatch):
+    async def _has_users():
+        return True
+
+    async def _get_user_by_session_id(_session_id: str):
+        return _FakeLocalUser(must_reset_password=False)
+
+    monkeypatch.setattr(auth_module.AuthService, "has_users", _has_users)
+    monkeypatch.setattr(auth_module.AuthService, "get_user_by_session_id", _get_user_by_session_id)
+    monkeypatch.setattr(
+        auth_module,
+        "get_secret_manager",
+        lambda: _FakeSecrets({auth_module.API_TOKEN_SECRET_ID: "abc123"}),
+    )
+
+    request = _make_request(
+        headers={
+            "user-agent": "Mozilla/5.0",
+            "referer": "http://10.0.0.9:5173/login",
+            "cookie": f"{auth_module.SESSION_COOKIE_NAME}=session-123",
+        },
+        client_host="10.0.0.2",
+        path="/api/auth/me",
+    )
+    _, token, user = await auth_module.apply_auth_for_request(request)
+    try:
+        assert user is not None
+        assert user.username == "test-user"
+    finally:
+        auth_module.clear_auth_context(token)
+
+
 class TestAuthMiddlewareExempt:
     """Cover ``auth_middleware_exempt`` — both fixed paths and regex patterns."""
 
diff --git a/uv.lock b/uv.lock
index caa5652e9..e894f7aea 100644
--- a/uv.lock
+++ b/uv.lock
@@ -482,7 +482,7 @@ wheels = [
 
 [[package]]
 name = "flocks"
-version = "2026.4.24"
+version = "2026.4.24.1"
 source = { editable = "." }
 dependencies = [
     { name = "aiofiles" },