Auth bypass in Hkuds Lightrag

CVE-2026-61740

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAG_API_KEY set but AUTH_ACCOUNTS unset, X-API-Key protection can be bypassed because lightrag/api/auth.py falls back to…

Vulnerability class: Broken Authentication

Affected products

Weakness classification (CWE)

References