LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORS_ORIGINS=* combined with allow_credentials=True in lightrag/api/lightrag_server.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin requests. Any malicious website visited by an authenticated LightRAG user can silently make authenticated API requests, exfiltrating documents and knowledge graph data or performing destructive actions such as deleting the document store. This vulnerability is fixed in 1.5.4.
CVE-2026-61736
This critical-severity CVE scores 9.3 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.3
- EG Score
- 9.3(low)
- EPSS
- —
- KEV
- Not listed
Published
July 15, 2026
Last Modified
July 15, 2026
Advisory Details (6)
Auto-updated Jul 15, 2026CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests · Advisory · HKUDS/LightRAG · GitHub
https://github.com/HKUDS/LightRAG/security/advisories/GHSA-6x6h-qqr7-855wv1.5.4
Patch available: HKUDS/LightRAG v1.5.4
https://github.com/HKUDS/LightRAG/releases/tag/v1.5.4fix(api): don't pair wildcard CORS origin with credentials
Patch available: HKUDS/LightRAG v1.5.4 (PR #3317 merged 2026-06-24)
https://github.com/HKUDS/LightRAG/pull/3317commit ebba6548639c (HKUDS/LightRAG)
Patch available: HKUDS/LightRAG v1.5.4 (contains commit ebba6548639c)
https://github.com/HKUDS/LightRAG/commit/ebba6548639c0f2e8919100eff76b401f1222252commit df68d75f9dc2 (HKUDS/LightRAG)
Patch available: HKUDS/LightRAG v1.5.4 (contains commit df68d75f9dc2)
https://github.com/HKUDS/LightRAG/commit/df68d75f9dc29dd340ffb6794b48f48c4fdc9a2dcommit 09567a4c983f (HKUDS/LightRAG)
Patch available: HKUDS/LightRAG v1.5.4 (contains commit 09567a4c983f)
https://github.com/HKUDS/LightRAG/commit/09567a4c983f580050db63569dd477122c058c3dWeakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 4× in last 7d / 4× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-15 23:19 UTCEG score recompute
- 2026-07-15 19:05 UTCEG score recompute
- 2026-07-15 14:51 UTCEG score recompute
- 2026-07-15 14:49 UTCMITRE cvelistV5first tracked
Frequently asked(4)
What is CVE-2026-61736?
When was CVE-2026-61736 disclosed?
What is the CVSS score of CVE-2026-61736?
How do I remediate CVE-2026-61736?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-61736
Is Your Infrastructure Affected by CVE-2026-61736?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.