๐Ÿ” CVE Alert

CVE-2026-61740

UNKNOWN 0.0

LightRAG: Authentication bypass: hardcoded DEFAULT_TOKEN_SECRET and public /auth-status defeat LIGHTRAG_API_KEY protection

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAG_API_KEY set but AUTH_ACCOUNTS unset, X-API-Key protection can be bypassed because lightrag/api/auth.py falls back to a hardcoded DEFAULT_TOKEN_SECRET, /auth-status and /login can mint guest JWTs, and combined_dependency in lightrag/api/utils_api.py accepts a valid guest token before checking the API key. A remote unauthenticated attacker can call endpoints guarded by combined_auth, including document read, upload, deletion, graph mutation, and query endpoints. This vulnerability is fixed in 1.5.4.

CWE CWE-287 CWE-798
Vendor hkuds
Product lightrag
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for hkuds lightrag

Be the first to know when new unknown vulnerabilities affecting hkuds lightrag are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

HKUDS / LightRAG
< 1.5.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/HKUDS/LightRAG/security/advisories/GHSA-f4vv-55c2-5789 github.com: https://github.com/HKUDS/LightRAG/pull/3319 github.com: https://github.com/HKUDS/LightRAG/commit/f7819aa3a49a9d8d92eed8251d82d6ebcafa8cba github.com: https://github.com/HKUDS/LightRAG/releases/tag/v1.5.4