CVE-2026-30762

CVE-2026-30762 is a high-severity improper authentication vulnerability in lightrag-hku (pip), affecting versions <= 1.4.12. It is fixed in 1.4.13.

Summary

Subject: Security Vulnerability Report Hardcoded JWT Secret (CVE-2026-30762)

Hi HKUDS team,

I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE.

Vulnerability: Hardcoded JWT signing secret
Type: Improper Authentication (CWE-287)
Severity: High
Attack Vector: Remote / Unauthenticated

Summary:
The file lightrag/api/config.py (line 397) uses a default JWT secret "lightrag-jwt-default-secret" when the TOKEN_SECRET environment variable is not set. The AuthHandler in lightrag/api/auth.py (lines 24-25) uses this secret to sign and verify tokens. An unauthenticated attacker can forge valid JWT tokens using the publicly known default secret and gain access to any protected endpoint.

Reproduction:

  1. Install LightRAG v1.4.10 with AUTH_ACCOUNTS configured but no TOKEN_SECRET set
  2. Use PyJWT to sign a token: jwt.encode({"sub": "admin", "role": "user"}, "lightrag-jwt-default-secret", algorithm="HS256")
  3. Send a request to any protected endpoint with the header: Authorization: Bearer
  4. Access is granted without valid credentials

Suggested Fix:
Require TOKEN_SECRET to be explicitly set when AUTH_ACCOUNTS is configured. Refuse to start the API server if authentication is enabled but no custom secret is provided.

I'm following a 90-day responsible disclosure timeline from today's date. Please let me know if you have any questions or need additional information.

Best regards,
Venkata Avinash Taduturi

Impact

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

CVE-2026-30762 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.4.13); upgrading removes the vulnerable code path.

Affected versions

lightrag-hku (<= 1.4.12)

Security releases

lightrag-hku → 1.4.13 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade lightrag-hku to 1.4.13 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-30762? CVE-2026-30762 is a high-severity improper authentication vulnerability in lightrag-hku (pip), affecting versions <= 1.4.12. It is fixed in 1.4.13. The application does not adequately verify the identity of a user, device, or process before granting access.
  2. How severe is CVE-2026-30762? CVE-2026-30762 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of lightrag-hku are affected by CVE-2026-30762? lightrag-hku (pip) versions <= 1.4.12 is affected.
  4. Is there a fix for CVE-2026-30762? Yes. CVE-2026-30762 is fixed in 1.4.13. Upgrade to this version or later.
  5. Is CVE-2026-30762 exploitable, and should I be worried? Whether CVE-2026-30762 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-30762 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-30762? Upgrade lightrag-hku to 1.4.13 or later.

Other vulnerabilities in lightrag-hku

CVE-2026-30762CVE-2025-6773

Stop the waste.
Protect your environment with Kodem.