GHSA-8FFJ-4HX4-9PGF

Vulnerability from github – Published: 2026-04-08 00:17 – Updated: 2026-04-08 00:17
VLAI?
Summary
lightrag-hku: JWT Algorithm Confusion Vulnerability
Details

Summary

The LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access.

Details

In lightrag/api/auth.py at line 128, the validate_token method calls:

payload = jwt.decode(token, self.secret, algorithms=[self.algorithm])

This allows any algorithm listed in the token's header to be processed, including 'none'. The code does not explicitly specify that 'none' is not allowed, making it possible for an attacker to bypass authentication.

PoC

An attacker can generate a JWT with the following structure:

{
  "header": {
    "alg": "none",
    "typ": "JWT"
  },
  "payload": {
    "sub": "admin",
    "exp": 1700000000,
    "role": "admin"
  }
}

Then send a request like:

curl -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTcwMDAwMDAwMCwicm9sZSI6ImFkbWluIn0." http://localhost:8000/api/protected-endpoint

Impact

An attacker can impersonate any user, including administrators, by forging a JWT with 'alg': 'none', gaining full access to protected resources without needing valid credentials.

Recommended Fix

Explicitly specify allowed algorithms and exclude 'none'. Modify the validate_token method to:

allowed_algorithms = [self.algorithm] if self.algorithm != 'none' else ['HS256', 'HS384', 'HS512']
payload = jwt.decode(token, self.secret, algorithms=allowed_algorithms)

Or better yet, hardcode the expected algorithm(s):

payload = jwt.decode(token, self.secret, algorithms=['HS256'])
Severity ?
4.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.13"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "lightrag-hku"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:17:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nThe LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying \u0027alg\u0027: \u0027none\u0027 in the JWT header. Since the `jwt.decode()` call does not explicitly deny the \u0027none\u0027 algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access.\n\n## Details\nIn `lightrag/api/auth.py` at line 128, the `validate_token` method calls:\n\n```python\npayload = jwt.decode(token, self.secret, algorithms=[self.algorithm])\n```\n\nThis allows any algorithm listed in the token\u0027s header to be processed, including \u0027none\u0027. The code does not explicitly specify that \u0027none\u0027 is not allowed, making it possible for an attacker to bypass authentication.\n\n## PoC\nAn attacker can generate a JWT with the following structure:\n\n```json\n{\n  \"header\": {\n    \"alg\": \"none\",\n    \"typ\": \"JWT\"\n  },\n  \"payload\": {\n    \"sub\": \"admin\",\n    \"exp\": 1700000000,\n    \"role\": \"admin\"\n  }\n}\n```\n\nThen send a request like:\n\n```bash\ncurl -H \"Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTcwMDAwMDAwMCwicm9sZSI6ImFkbWluIn0.\" http://localhost:8000/api/protected-endpoint\n```\n\n## Impact\nAn attacker can impersonate any user, including administrators, by forging a JWT with \u0027alg\u0027: \u0027none\u0027, gaining full access to protected resources without needing valid credentials.\n\n## Recommended Fix\nExplicitly specify allowed algorithms and exclude \u0027none\u0027. Modify the `validate_token` method to:\n\n```python\nallowed_algorithms = [self.algorithm] if self.algorithm != \u0027none\u0027 else [\u0027HS256\u0027, \u0027HS384\u0027, \u0027HS512\u0027]\npayload = jwt.decode(token, self.secret, algorithms=allowed_algorithms)\n```\n\nOr better yet, hardcode the expected algorithm(s):\n\n```python\npayload = jwt.decode(token, self.secret, algorithms=[\u0027HS256\u0027])\n```",
  "id": "GHSA-8ffj-4hx4-9pgf",
  "modified": "2026-04-08T00:17:50Z",
  "published": "2026-04-08T00:17:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HKUDS/LightRAG/commit/728f2e54509d93e0a44f929c7f83f2c88d6d291b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HKUDS/LightRAG"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lightrag-hku: JWT Algorithm Confusion Vulnerability "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.