CORS Misconfiguration in LightRAG Affects User Authentication
CVE-2026-61736
9.3CRITICAL
What is CVE-2026-61736?
LightRAG, a service for retrieval-augmented generation, was affected by a serious CORS misconfiguration in versions prior to 1.5.4. The server's default settings allowed credentialed cross-origin requests from any origin, greatly increasing the risk of unauthorized API access. This misconfiguration permitted malicious websites to exploit authenticated users, enabling actions such as document exfiltration or deletion from the document store. The exposure was resolved in version 1.5.4, which improved the CORS handling mechanism to secure user data and API interactions.
Affected Version(s)
LightRAG < 1.5.4
