Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from Vendor (GitHub_M) · only source for this CVE.
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORS_ORIGINS=* combined with allow_credentials=True in lightrag/api/lightrag_server.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin requests. Any malicious website visited by an authenticated LightRAG user can silently make authenticated API requests, exfiltrating documents and knowledge graph data or performing destructive actions such as deleting the document store. This vulnerability is fixed in 1.5.4.
AnalysisAI
Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, credentialed API calls on behalf of a logged-in victim because the server ships with CORS_ORIGINS=* paired with allow_credentials=True. When an authenticated LightRAG user browses to an attacker-controlled page, that page can silently read documents and knowledge-graph data or issue destructive requests such as deleting the entire document store. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours, audit all LightRAG deployments to identify instances running versions prior to 1.5.4 and assess data criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Cors Misconfiguration
View allCasdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th
Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut
memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel
SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9
A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical
Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to
Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint
Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.
A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44670