PT-2026-60193 · Hkuds · Lightrag
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-61740
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAG API KEY set but AUTH ACCOUNTS unset, X-API-Key protection can be bypassed because lightrag/api/auth.py falls back to a hardcoded DEFAULT TOKEN SECRET, /auth-status and /login can mint guest JWTs, and combined dependency in lightrag/api/utils api.py accepts a valid guest token before checking the API key. A remote unauthenticated attacker can call endpoints guarded by combined auth, including document read, upload, deletion, graph mutation, and query endpoints. This vulnerability is fixed in 1.5.4.
Exploit
Fix
Using Hardcoded Credentials
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Lightrag