Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates, allowing any authenticated user to execute arbitrary operating system commands on the server. At time of publication, there are no publicly available patches.
Published: 2026-04-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

RAGFlow’s Agent workflow components – specifically Text Processing (StringTransform) and Message – render user‑supplied templates via Python’s Jinja2.Template without sandboxing. This Server‑Side Template Injection flaw allows any authenticated user to inject crafted Jinja2 expressions that are evaluated as operating‑system commands, giving the attacker arbitrary command execution on the RAGFlow host. The resulting breach can lead to data exfiltration, service disruption, or further compromise of the underlying infrastructure.

Affected Systems

Infiniflow’s open‑source RAGFlow engine, versions 0.24.0 and earlier, is affected. The vulnerability resides in the Text Processing and Message components of the Agent workflow, and any authenticated user who can submit or edit templates is at risk.

Risk and Exploitability

The CVSS score of 8.7 denotes a high‑severity flaw, while the EPSS score is not currently available, leaving the real‑world exploitation probability unclear. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the workflow UI and the ability to inject Jinja2 code; once injected, the attacker can run commands with the same privileges as the RAGFlow process.

Generated by OpenCVE AI on April 4, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for a newer RAGFlow release that removes unsandboxed Jinja2 usage and apply any available patch.
  • If no patch exists, deny template creation or editing privileges to all users except a narrow administrative group.
  • Configure Jinja2 to run in sandbox or disable the template rendering engine until a fix is provided.
  • Monitor system logs for unexpected command execution or abnormal template processing activity.
  • Stay informed of vendor advisories and apply the patch as soon as it becomes available.

Generated by OpenCVE AI on April 4, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:infiniflow:ragflow:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Infiniflow
Infiniflow ragflow
Vendors & Products Infiniflow
Infiniflow ragflow

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates, allowing any authenticated user to execute arbitrary operating system commands on the server. At time of publication, there are no publicly available patches.
Title RAGFlow: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Agent "Text Processing" Component
Weaknesses CWE-1336
CWE-20
CWE-78
CWE-94
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Infiniflow Ragflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:57:26.934Z

Reserved: 2026-03-03T14:25:19.245Z

Link: CVE-2026-28797

cve-icon Vulnrichment

Updated: 2026-04-06T18:57:04.953Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:26.320

Modified: 2026-04-22T16:01:13.130

Link: CVE-2026-28797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:21:57Z

Weaknesses