CVE-2026-39413

Name of the Vulnerable Software and Affected Versions LightRAG versions prior to 1.4.14

Description The LightRAG API is susceptible to a JWT algorithm confusion attack. An attacker can forge tokens by setting 'alg': 'none' in the JWT header. The jwt.decode() function does not explicitly disallow the 'none' algorithm, allowing a crafted token without a signature to be accepted as valid, resulting in unauthorized access. The vulnerable code is located in lightrag/api/auth.py at line 128, within the validate token method. An attacker can create a JWT with the 'alg' set to 'none' and successfully authenticate, potentially impersonating any user, including administrators, and gaining access to protected resources.

Recommendations Update to LightRAG version 1.4.14 or later. Explicitly specify allowed algorithms in the validate token method, excluding 'none'. Alternatively, hardcode the expected algorithm(s), such as 'HS256'.