Description
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.
Published: 2026-04-08
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a JWT algorithm confusion flaw in the LightRAG API. A crafted JSON Web Token can specify an algorithm value of 'none', allowing the server to accept the token without verifying a signature. This bypasses authentication and permits an attacker to perform any action that the API would normally require valid credentials for. The primary consequence is unauthorized access to the application's functionality, potentially exposing sensitive data or allowing further exploitation.

Affected Systems

The affected product is LightRAG provided by the vendor HKUDS. Versions earlier than 1.4.14 are impacted. Any installation using a pre‑1.4.14 release is susceptible to this flaw.

Risk and Exploitability

With a CVSS score of 4.2 the vulnerability is considered moderate. No EPSS score is available and the vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is remote, via the exposed API endpoint where an attacker can send a crafted JWT. Successful exploitation would result in bypassing authentication and gaining unauthorized access to the API.

Generated by OpenCVE AI on April 8, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LightRAG to version 1.4.14 or later.
  • Verify that JWT validation rejects tokens with the 'none' algorithm.

Generated by OpenCVE AI on April 8, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8ffj-4hx4-9pgf lightrag-hku: JWT Algorithm Confusion Vulnerability
History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Hkuds
Hkuds lightrag
Vendors & Products Hkuds
Hkuds lightrag

Wed, 08 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.
Title LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Hkuds Lightrag
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T20:18:55.606Z

Reserved: 2026-04-07T00:23:30.595Z

Link: CVE-2026-39413

cve-icon Vulnrichment

Updated: 2026-04-08T20:18:48.737Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:25.877

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:35Z

Weaknesses