PyPI package
lightrag-hku
pkg:pypi/lightrag-hku
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39413 | Med | 4.2 | < 1.4.14 | 1.4.14 | Apr 8, 2026 | LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly | |
| CVE-2026-30762 | hig | — | < 1.4.13 | 1.4.13 | Apr 4, 2026 | Subject: Security Vulnerability Report Hardcoded JWT Secret (CVE-2026-30762) Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improp | |
| CVE-2025-6773 | Med | 5.3 | < 1.3.8 | 1.3.8 | Jun 27, 2025 | A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.fi |
- affected < 1.4.14fixed 1.4.14
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly
- affected < 1.4.13fixed 1.4.13
Subject: Security Vulnerability Report Hardcoded JWT Secret (CVE-2026-30762) Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improp
- affected < 1.3.8fixed 1.3.8
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.fi