Skip to main content

Hardcoded Credentials

1 CVEs product

Monthly

CVE-2026-30762 PyPI HIGH PATCH GHSA This Week

LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.

AI / ML Hardcoded Credentials Jwt Attack
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.

AI / ML Hardcoded Credentials Jwt Attack
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy