PT-2026-30318 · Pypi · Hkuds Lightrag
Published
2026-04-04
·
Updated
2026-04-04
·
CVE-2026-30762
CVSS v3.1
7.5
High
| AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Summary:
The file lightrag/api/config.py (line 397) uses a default JWT secret "lightrag-jwt-default-secret" when the TOKEN SECRET environment variable is not set. The AuthHandler in lightrag/api/auth.py (lines 24-25) uses this secret to sign and verify tokens. An unauthenticated attacker can forge valid JWT tokens using the publicly known default secret and gain access to any protected endpoint.
Reproduction:
- Install LightRAG v1.4.10 with AUTH ACCOUNTS configured but no TOKEN SECRET set
- Use PyJWT to sign a token: jwt.encode({"sub": "admin", "role": "user"}, "lightrag-jwt-default-secret", algorithm="HS256")
- Send a request to any protected endpoint with the header: Authorization: Bearer
- Access is granted without valid credentials
Suggested Fix:
Require TOKEN SECRET to be explicitly set when AUTH ACCOUNTS is configured. Refuse to start the API server if authentication is enabled but no custom secret is provided.
Venkata Avinash Taduturi
taduturivenkata@gmail.com
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hkuds Lightrag