PT-2026-60193 · Hkuds · Lightrag
Publicado
2026-07-15
·
Atualizado
2026-07-15
·
CVE-2026-61740
CVSS v4.0
9.3
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAG API KEY set but AUTH ACCOUNTS unset, X-API-Key protection can be bypassed because lightrag/api/auth.py falls back to a hardcoded DEFAULT TOKEN SECRET, /auth-status and /login can mint guest JWTs, and combined dependency in lightrag/api/utils api.py accepts a valid guest token before checking the API key. A remote unauthenticated attacker can call endpoints guarded by combined auth, including document read, upload, deletion, graph mutation, and query endpoints. This vulnerability is fixed in 1.5.4.
Exploit
Correção
Using Hardcoded Credentials
Improper Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Lightrag