Description
A vulnerability has been found in RAGapp up to 0.1.5. Affected is the function FileHandler.upload_file/FileHandler.remove_file of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-28
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw exists in RAGapp versions up to 0.1.5 within the FileHandler.upload_file and FileHandler.remove_file functions. The flaw allows an attacker to craft a file path that escapes the intended knowledge file directory and delete or upload files outside that area, thereby compromising data integrity and potentially enabling a denial‑of‑service or further exploitation.

Affected Systems

The vulnerability affects the RAGapp product, specifically the Knowledge File Handler component of the backend. All releases up to version 0.1.5 are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation at this time. However, the attack vector is remote and does not require elevated privileges within the application, so anyone with network access to the RAGapp API could exercise the path traversal to delete files.

Generated by OpenCVE AI on June 28, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official RAGapp patch as soon as it becomes available.
  • Validate all file path inputs on the server side to ensure they remain within the allowed knowledge‑file directory.
  • Restrict the file system permissions of the RAGapp process so it can access only the knowledge‑file directory.
  • Monitor the application for anomalous file deletion activity and audit logs for unexpected remove_file calls.

Generated by OpenCVE AI on June 28, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in RAGapp up to 0.1.5. Affected is the function FileHandler.upload_file/FileHandler.remove_file of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
Title RAGapp Knowledge File files.py FileHandler.remove_file path traversal
First Time appeared Ragapp
Ragapp ragapp
Weaknesses CWE-22
CPEs cpe:2.3:a:ragapp:ragapp:*:*:*:*:*:*:*:*
Vendors & Products Ragapp
Ragapp ragapp
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ragapp Ragapp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T22:00:11.403Z

Reserved: 2026-06-28T06:23:18.135Z

Link: CVE-2026-13509

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T23:30:17Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')