CORS Misconfiguration in LightRAG Affects User Authentication
CVE-2026-61736

9.3CRITICAL

Key Information:

Vendor

Hkuds

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61736?

LightRAG, a service for retrieval-augmented generation, was affected by a serious CORS misconfiguration in versions prior to 1.5.4. The server's default settings allowed credentialed cross-origin requests from any origin, greatly increasing the risk of unauthorized API access. This misconfiguration permitted malicious websites to exploit authenticated users, enabling actions such as document exfiltration or deletion from the document store. The exposure was resolved in version 1.5.4, which improved the CORS handling mechanism to secure user data and API interactions.

Affected Version(s)

LightRAG < 1.5.4

References

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.