X-API-Key Bypass in LightRAG API by HKUDS
CVE-2026-61740
9.3CRITICAL
What is CVE-2026-61740?
LightRAG, which offers enhanced retrieval-augmented generation, is susceptible to a vulnerability that allows remote unauthenticated attackers to circumvent the X-API-Key protection. This is due to the lack of proper authentication checks when the LIGHTRAG_API_KEY is set, but AUTH_ACCOUNTS remains unset. Attackers can exploit this weakness via endpoints protected by combined_auth, enabling unauthorized actions such as reading, uploading, deleting documents, and modifying graphs. This vulnerability has been addressed in version 1.5.4.
Affected Version(s)
LightRAG < 1.5.4
