Medium severity4.2NVD Advisory· Published Apr 8, 2026· Updated Apr 22, 2026

CVE-2026-39413

Description

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
lightrag-hkuPyPI	< 1.4.14	1.4.14

Affected products

Hkuds/Lightrag
cpe:2.3:a:hkuds:lightrag:*:*:*:*:*:*:*:*
Range: <1.4.14

Patches

728f2e54509d

fix(auth): prevent JWT algorithm confusion attack (GHSA-8ffj-4hx4-9pgf)

https://github.com/HKUDS/LightRAGyangdxApr 7, 2026via ghsa

commit

1 file changed · +15 −2

lightrag/api/auth.py+15 −2 modified

@@ -36,7 +36,13 @@ def __init__(self):
                 "TOKEN_SECRET not set and AUTH_ACCOUNTS is not configured. "
                 "Falling back to the default guest-mode JWT secret. "
             )
-        self.algorithm = global_args.jwt_algorithm
+        algorithm = global_args.jwt_algorithm
+        if not algorithm or algorithm.lower() == "none":
+            raise ValueError(
+                "JWT_ALGORITHM must be set to a secure algorithm (e.g. HS256). "
+                "The 'none' algorithm is not permitted."
+            )
+        self.algorithm = algorithm
         self.expire_hours = global_args.token_expire_hours
         self.guest_expire_hours = global_args.guest_token_expire_hours
         self.accounts = {}
@@ -125,7 +131,14 @@ def validate_token(self, token: str) -> dict:
             HTTPException: If token is invalid or expired
         """
         try:
-            payload = jwt.decode(token, self.secret, algorithms=[self.algorithm])
+            # Explicitly exclude 'none' to prevent algorithm confusion attacks
+            allowed_algorithms = [self.algorithm]
+            if "none" in (a.lower() for a in allowed_algorithms):
+                raise HTTPException(
+                    status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                    detail="Insecure JWT algorithm configuration",
+                )
+            payload = jwt.decode(token, self.secret, algorithms=allowed_algorithms)
             expire_timestamp = payload["exp"]
             expire_time = datetime.fromtimestamp(expire_timestamp, timezone.utc)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgfnvdExploitMitigationVendor AdvisoryWEB
github.com/advisories/GHSA-8ffj-4hx4-9pgfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-39413ghsaADVISORY
github.com/HKUDS/LightRAG/commit/728f2e54509d93e0a44f929c7f83f2c88d6d291bghsaWEB
github.com/github/advisory-database/issues/7373nvd

News mentions

No linked articles in our index yet.

cvss	0.273
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000