PT-2026-60193 · Hkuds · Lightrag

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-61740

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAG API KEY set but AUTH ACCOUNTS unset, X-API-Key protection can be bypassed because lightrag/api/auth.py falls back to a hardcoded DEFAULT TOKEN SECRET, /auth-status and /login can mint guest JWTs, and combined dependency in lightrag/api/utils api.py accepts a valid guest token before checking the API key. A remote unauthenticated attacker can call endpoints guarded by combined auth, including document read, upload, deletion, graph mutation, and query endpoints. This vulnerability is fixed in 1.5.4.

Exploit

Fix

Using Hardcoded Credentials

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61740

Affected Products

Lightrag