CVE-2026-39413

Source
https://cve.org/CVERecord?id=CVE-2026-39413
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39413.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39413
Aliases
Published
2026-04-08T19:41:23.909Z
Modified
2026-07-13T16:43:36.700729517Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API
Details

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-347"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39413.json"
}
References

Affected packages

Git / github.com/hkuds/lightrag

Affected ranges

Type
GIT
Repo
https://github.com/hkuds/lightrag
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.4.14"
        }
    ],
    "cpe": "cpe:2.3:a:hkuds:lightrag:*:*:*:*:*:*:*:*"
}

Affected versions

v1.*
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.1
v1.2.2
v1.2.3
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.2
v1.3.3
v1.3.4
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.11rc1
v1.4.11rc2
v1.4.12
v1.4.12rc1
v1.4.13
v1.4.13rc1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.7rc2
v1.4.8
v1.4.8.1
v1.4.8.2
v1.4.8rc1
v1.4.8rc3
v1.4.8rc4
v1.4.8rc5
v1.4.8rc8
v1.4.8rc9
v1.4.9
v1.4.9.1
v1.4.9.10
v1.4.9.11
v1.4.9.2
v1.4.9.3
v1.4.9.4
v1.4.9.4rc1
v1.4.9.5
v1.4.9.6
v1.4.9.7
v1.4.9.8
v1.4.9.9
v1.4.9rc1
v1.4.9rc2
v1.4.9rc3
v1.4.9rc4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39413.json"