Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI.
Published: 2026-05-29
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a server‑side template injection (SSTI) in RAGFlow’s prompt generator that allows an authenticated user to execute arbitrary OS commands on the host. The flaw resides in a Jinja2 template that is injected via user‑controlled input. An attacker can register an account, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the injection to run any command with the privileges of the RAGFlow process, leading to full compromise of the server.

Affected Systems

The RAGFlow open‑source engine from InfinityFlow, versions 0.24.0 and earlier, is affected.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity. EPSS data is unavailable, but the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. The attack requires authentication, but once authenticated an attacker can use the prompt generator to execute commands. The lack of a public exploit for this SSTI points to a high likelihood that the vulnerability remains unexploited so far, yet it presents a broad impact if abused.

Generated by OpenCVE AI on May 29, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RAGFlow to the latest release (0.24.1 or newer) where the SSTI is fixed.
  • If updating immediately is not possible, disable the prompt generator feature or restrict its use to trusted users and ensure that template rendering is performed with safe context handling.
  • Implement role‑based access controls to limit the number of authenticated users that can create or trigger Canvas workflows.

Generated by OpenCVE AI on May 29, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Infiniflow
Infiniflow ragflow
Vendors & Products Infiniflow
Infiniflow ragflow

Fri, 29 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI.
Title RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Infiniflow Ragflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T12:24:07.996Z

Reserved: 2026-05-11T20:50:30.538Z

Link: CVE-2026-45312

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-29T13:16:22.770

Modified: 2026-05-29T13:16:22.770

Link: CVE-2026-45312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:00:19Z

Weaknesses