CVE-2026-61740

Source
https://cve.org/CVERecord?id=CVE-2026-61740
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-61740.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-61740
Aliases
  • GHSA-f4vv-55c2-5789
Published
2026-07-15T14:14:41.064Z
Modified
2026-07-17T03:48:23.615930058Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
LightRAG: Authentication bypass: hardcoded DEFAULT_TOKEN_SECRET and public /auth-status defeat LIGHTRAG_API_KEY protection
Details

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAGAPIKEY set but AUTHACCOUNTS unset, X-API-Key protection can be bypassed because lightrag/api/auth.py falls back to a hardcoded DEFAULTTOKENSECRET, /auth-status and /login can mint guest JWTs, and combineddependency in lightrag/api/utilsapi.py accepts a valid guest token before checking the API key. A remote unauthenticated attacker can call endpoints guarded by combinedauth, including document read, upload, deletion, graph mutation, and query endpoints. This vulnerability is fixed in 1.5.4.

Database specific
{
    "cwe_ids": [
        "CWE-287",
        "CWE-798"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/61xxx/CVE-2026-61740.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/hkuds/lightrag

Affected ranges

Type
GIT
Repo
https://github.com/hkuds/lightrag
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.5.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

Other
temp
v1.*
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.1
v1.2.2
v1.2.3
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.2
v1.3.3
v1.3.4
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.11rc1
v1.4.11rc2
v1.4.12
v1.4.12rc1
v1.4.13
v1.4.13rc1
v1.4.14
v1.4.15
v1.4.16
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.7rc2
v1.4.8
v1.4.8.1
v1.4.8.2
v1.4.8rc1
v1.4.8rc3
v1.4.8rc4
v1.4.8rc5
v1.4.8rc8
v1.4.8rc9
v1.4.9
v1.4.9.1
v1.4.9.10
v1.4.9.11
v1.4.9.2
v1.4.9.3
v1.4.9.4
v1.4.9.4rc1
v1.4.9.5
v1.4.9.6
v1.4.9.7
v1.4.9.8
v1.4.9.9
v1.4.9rc1
v1.4.9rc2
v1.4.9rc3
v1.4.9rc4
v1.5.0
v1.5.0rc2
v1.5.0rc3
v1.5.1
v1.5.2
v1.5.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-61740.json"