CVE-2026-39413
Received Received - Intake
JWT Algorithm Confusion in LightRAG Allows Unauthorized Access

Publication date: 2026-04-08

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39413
EUVD
EUVD-2026-20601
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hkuds lightrag to 1.4.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39413 is a vulnerability in the LightRAG API versions up to 1.4.13 where the JWT (JSON Web Token) decoding function does not properly reject tokens that specify the 'none' algorithm in their header.

Because the jwt.decode() call does not explicitly disallow the 'none' algorithm, an attacker can craft a token without a signature that will be accepted as valid by the system.

This allows the attacker to forge tokens that impersonate any user, including administrators, thereby bypassing authentication.

Impact Analysis

This vulnerability can lead to full unauthorized access to protected resources by allowing an attacker to impersonate any user, including administrators, without needing valid credentials.

As a result, sensitive data and administrative functions could be accessed or manipulated by unauthorized parties.

Detection Guidance

This vulnerability can be detected by inspecting JWT tokens used in requests to the LightRAG API and checking if any tokens have the 'alg' header set to 'none'. Such tokens indicate a forged token that bypasses signature verification.

You can monitor network traffic or logs for Authorization headers containing JWT tokens and decode their headers to look for the 'alg' field set to 'none'.

  • Use a command-line tool like 'jq' to decode JWT headers from captured tokens. For example, extract the JWT token from logs or network captures and run:
  • echo '<JWT_TOKEN>' | cut -d '.' -f1 | base64 -d | jq '.'

If the output JSON contains "alg": "none", the token is vulnerable and can be used to bypass authentication.

Mitigation Strategies

The immediate mitigation is to upgrade LightRAG to version 1.4.14 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, modify the token validation code to explicitly disallow the 'none' algorithm by specifying allowed algorithms when decoding JWT tokens.

  • Change the jwt.decode call to specify allowed algorithms, for example:
  • payload = jwt.decode(token, self.secret, algorithms=['HS256'])

This prevents acceptance of unsigned tokens and blocks the algorithm confusion attack.

Compliance Impact

The vulnerability allows unauthorized access to protected resources by forging JWT tokens, including impersonation of administrators. This unauthorized access can lead to exposure of sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.

Since the vulnerability compromises confidentiality by allowing attackers to bypass authentication controls, it can result in non-compliance with regulations that mandate strict access controls and protection of personal or sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart