Back to overview

CVE-2026-61736

CRITICAL
9.3
CVSS 3.1
Description
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORS_ORIGINS=* combined with allow_credentials=True in lightrag/api/lightrag_server.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin requests. Any malicious website visited by an authenticated LightRAG user can silently make authenticated API requests, exfiltrating documents and knowledge graph data or performing destructive actions such as deleting the document store. This vulnerability is fixed in 1.5.4.

Metadata

CVE ID
CVE-2026-61736
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-10 18:59 UTC
Published
2026-07-15 14:12 UTC
Last updated
2026-07-15 14:59 UTC
Primary CWE
CWE-942
CWE-942: Permissive Cross-domain Policy with Untrusted Domai…
Vendor / Product
HKUDS / LightRAG
Sources
cve.org  ·  NVD

Severity & Metrics

9.3 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
HKUDS LightRAG < 1.5.4
Weakness (CWE)
CWESourceDescription
CWE-942 cna CWE-942: Permissive Cross-domain Policy with Untrusted Domains
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.3 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References (6)
Back to overview