CVE-2026-39413 PUBLISHED

LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API

Assigner: GitHub_M
Reserved: 07.04.2026 Published: 08.04.2026 Updated: 08.04.2026

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
CVSS Score: 4.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	HKUDS
Product	LightRAG
Versions	Version < 1.4.14 is affected

References

https://github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgf

Problem Types

CWE-347: Improper Verification of Cryptographic Signature CWE