CVE-2026-39413
JWT Algorithm Confusion in LightRAG Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hkuds | lightrag | to 1.4.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to protected resources by forging JWT tokens, including impersonation of administrators. This unauthorized access can lead to exposure of sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.
Since the vulnerability compromises confidentiality by allowing attackers to bypass authentication controls, it can result in non-compliance with regulations that mandate strict access controls and protection of personal or sensitive information.
Can you explain this vulnerability to me?
CVE-2026-39413 is a vulnerability in the LightRAG API versions up to 1.4.13 where the JWT (JSON Web Token) decoding function does not properly reject tokens that specify the 'none' algorithm in their header.
Because the jwt.decode() call does not explicitly disallow the 'none' algorithm, an attacker can craft a token without a signature that will be accepted as valid by the system.
This allows the attacker to forge tokens that impersonate any user, including administrators, thereby bypassing authentication.
How can this vulnerability impact me? :
This vulnerability can lead to full unauthorized access to protected resources by allowing an attacker to impersonate any user, including administrators, without needing valid credentials.
As a result, sensitive data and administrative functions could be accessed or manipulated by unauthorized parties.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting JWT tokens used in requests to the LightRAG API and checking if any tokens have the 'alg' header set to 'none'. Such tokens indicate a forged token that bypasses signature verification.
You can monitor network traffic or logs for Authorization headers containing JWT tokens and decode their headers to look for the 'alg' field set to 'none'.
- Use a command-line tool like 'jq' to decode JWT headers from captured tokens. For example, extract the JWT token from logs or network captures and run:
- echo '<JWT_TOKEN>' | cut -d '.' -f1 | base64 -d | jq '.'
If the output JSON contains "alg": "none", the token is vulnerable and can be used to bypass authentication.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade LightRAG to version 1.4.14 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, modify the token validation code to explicitly disallow the 'none' algorithm by specifying allowed algorithms when decoding JWT tokens.
- Change the jwt.decode call to specify allowed algorithms, for example:
- payload = jwt.decode(token, self.secret, algorithms=['HS256'])
This prevents acceptance of unsigned tokens and blocks the algorithm confusion attack.