LightRAG CORS Vulnerability Allows Credentialed Requests from Any Origin

Vulnerability

A vulnerability in LightRAG prior to version 1.5.4 allows any origin to make credentialed requests to the API, exploiting a misconfiguration of Cross-Origin Resource Sharing (CORS) settings. The server defaulted to CORS_ORIGINS='*' while allowing credentials, which Starlette's CORSMiddleware interpreted as whitelisting all origins for authenticated requests. This flaw enabled malicious websites to access sensitive user data and perform destructive actions within the application.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user documents and knowledge graph data, or allow for destructive actions such as deleting the entire document store.

Reproduction

To reproduce this vulnerability, log into LightRAG and visit a malicious website that can make API requests. The site can then silently exfiltrate documents and knowledge graph data or perform destructive actions like deleting the document store.

Remediation

Users can update to LightRAG version 1.5.4 or later, where this vulnerability has been fixed.

Added: Jul 15, 2026, 3:35 PM
Updated: Jul 15, 2026, 3:35 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.0
exploitability
7.3
remediation
0.0
relevance
9.7
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.