CVE-2026-61736

Source
https://cve.org/CVERecord?id=CVE-2026-61736
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-61736.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-61736
Aliases
  • GHSA-6x6h-qqr7-855w
Published
2026-07-15T14:12:45.960Z
Modified
2026-07-17T03:48:18.101724717Z
Severity
  • 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests
Details

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORSORIGINS=* combined with allowcredentials=True in lightrag/api/lightrag_server.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin requests. Any malicious website visited by an authenticated LightRAG user can silently make authenticated API requests, exfiltrating documents and knowledge graph data or performing destructive actions such as deleting the document store. This vulnerability is fixed in 1.5.4.

Database specific
{
    "cwe_ids": [
        "CWE-942"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/61xxx/CVE-2026-61736.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/hkuds/lightrag

Affected ranges

Type
GIT
Repo
https://github.com/hkuds/lightrag
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.5.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

Other
temp
v1.*
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.1
v1.2.2
v1.2.3
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.2
v1.3.3
v1.3.4
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.11rc1
v1.4.11rc2
v1.4.12
v1.4.12rc1
v1.4.13
v1.4.13rc1
v1.4.14
v1.4.15
v1.4.16
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.7rc2
v1.4.8
v1.4.8.1
v1.4.8.2
v1.4.8rc1
v1.4.8rc3
v1.4.8rc4
v1.4.8rc5
v1.4.8rc8
v1.4.8rc9
v1.4.9
v1.4.9.1
v1.4.9.10
v1.4.9.11
v1.4.9.2
v1.4.9.3
v1.4.9.4
v1.4.9.4rc1
v1.4.9.5
v1.4.9.6
v1.4.9.7
v1.4.9.8
v1.4.9.9
v1.4.9rc1
v1.4.9rc2
v1.4.9rc3
v1.4.9rc4
v1.5.0
v1.5.0rc2
v1.5.0rc3
v1.5.1
v1.5.2
v1.5.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-61736.json"