CVE-2026-45312 PUBLISHED

RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution

Assigner: GitHub_M
Reserved: 11.05.2026 Published: 29.05.2026 Updated: 29.05.2026

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	infiniflow
Product	ragflow
Versions	Version <= 0.24.0 is affected

References

https://github.com/infiniflow/ragflow/security/advisories/GHSA-wpg4-h5g2-jxm6

Problem Types

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine CWE