LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests
Summary
| CVE | CVE-2026-61736 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-15 15:16:48 UTC |
| Updated | 2026-07-15 18:15:13 UTC |
| Description | LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORS_ORIGINS=* combined with allow_credentials=True in lightrag/api/lightrag_server.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin requests. Any malicious website visited by an authenticated LightRAG user can silently make authenticated API requests, exfiltrating documents and knowledge graph data or performing destructive actions such as deleting the document store. This vulnerability is fixed in 1.5.4. |
Risk And Classification
Primary CVSS: v3.1 9.3 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Problem Types: CWE-942 | CWE-942 CWE-942: Permissive Cross-domain Policy with Untrusted Domains
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 9.3 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
| 3.1 | CNA | DECLARED | 9.3 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
ChangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/HKUDS/LightRAG/commit/09567a4c983f580050db63569dd477122c058c3d | [email protected] | github.com | |
| github.com/HKUDS/LightRAG/releases/tag/v1.5.4 | [email protected] | github.com | |
| github.com/HKUDS/LightRAG/commit/ebba6548639c0f2e8919100eff76b401f1222252 | [email protected] | github.com | |
| github.com/HKUDS/LightRAG/commit/df68d75f9dc29dd340ffb6794b48f48c4fdc9a2d | [email protected] | github.com | |
| github.com/HKUDS/LightRAG/security/advisories/GHSA-6x6h-qqr7-855w | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | |
| github.com/HKUDS/LightRAG/pull/3317 | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.