LightRAG
- <= 1.4.15
An authentication bypass vulnerability has been identified in LightRAG versions through 1.4.15, when deployed with the LIGHTRAG_API_KEY set but AUTH_ACCOUNTS unset. In this configuration, the X-API-Key protection can be bypassed, allowing remote unauthenticated attackers to access endpoints guarded by combined_auth. This includes document read, upload, deletion, graph mutation, and query endpoints. The vulnerability arises because the application falls back to a hardcoded DEFAULT_TOKEN_SECRET, which can be exploited to mint guest JWTs that bypass the API key requirement.
Exploitation of this vulnerability allows unauthorized access to all endpoints protected by combined_auth, enabling an attacker to read, upload, and delete documents, manipulate knowledge graphs, and exhaust LLM or embedding credits by running queries.
The vulnerability can be reproduced by deploying LightRAG with the LIGHTRAG_API_KEY set and AUTH_ACCOUNTS unset. After obtaining a guest JWT using the DEFAULT_TOKEN_SECRET, this token can be used to access protected endpoints without the API key.
Users should update to LightRAG version 1.5.4 or later, where this vulnerability has been fixed.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.