LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass
Description
Subject: Security Vulnerability Report Hardcoded JWT Secret (CVE-2026-30762)
Hi HKUDS team,
I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE.
Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication (CWE-287) Severity: High Attack Vector: Remote / Unauthenticated
Summary: The file lightrag/api/config.py (line 397) uses a default JWT secret "lightrag-jwt-default-secret" when the TOKEN_SECRET environment variable is not set. The AuthHandler in lightrag/api/auth.py (lines 24-25) uses this secret to sign and verify tokens. An unauthenticated attacker can forge valid JWT tokens using the publicly known default secret and gain access to any protected endpoint.
Reproduction: 1. Install LightRAG v1.4.10 with AUTH_ACCOUNTS configured but no TOKEN_SECRET set 2. Use PyJWT to sign a token: jwt.encode({"sub": "admin", "role": "user"}, "lightrag-jwt-default-secret", algorithm="HS256") 3. Send a request to any protected endpoint with the header: Authorization: Bearer <forged_token> 4. Access is granted without valid credentials
Suggested Fix: Require TOKEN_SECRET to be explicitly set when AUTH_ACCOUNTS is configured. Refuse to start the API server if authentication is enabled but no custom secret is provided.
I'm following a 90-day responsible disclosure timeline from today's date. Please let me know if you have any questions or need additional information.
Best regards, Venkata Avinash Taduturi
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lightrag-hkuPyPI | < 1.4.13 | 1.4.13 |
Affected products
1Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.