LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAGAPIKEY set but AUTHACCOUNTS unset, X-API-Key protection can be bypassed because lightrag/api/auth.py falls back to a hardcoded DEFAULTTOKENSECRET, /auth-status and /login can mint guest JWTs, and combineddependency in lightrag/api/utilsapi.py accepts a valid guest token before checking the API key. A remote unauthenticated attacker can call endpoints guarded by combinedauth, including document read, upload, deletion, graph mutation, and query endpoints. This vulnerability is fixed in 1.5.4.
{
"cwe_ids": [
"CWE-287",
"CWE-798"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/61xxx/CVE-2026-61740.json",
"cna_assigner": "GitHub_M"
}