How is CVE-2026-45312 exploited?

Network reachability (required): The attacker must reach the RAGFlow HTTP service over the network (AV:N). Authentication (required): A low-privilege account is sufficient, and RAGFlow allows open self-registration, so this barrier is trivial in default deployments (PR:L). Victim interaction (not-required): No user has to click or approve anything; the attacker triggers the Canvas workflow themselves (UI:N). Attack complexity (info): AC:L: the exploit is reliable and condition-free once the attacker can log in and create a Canvas.

What is the impact of CVE-2026-45312?

Executes arbitrary OS commands as the RAGFlow service account, giving full remote code execution on the container or host. Reads any data the service can access, including ingested documents, embeddings, API keys, and database credentials stored in the environment. Modifies or deletes RAG corpora, workflow definitions, and persisted application state. Crashes or hijacks the RAGFlow service, and can be used as a pivot into other services reachable from the container network.

Back to search

CRITICALCVE-2026-45312Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45312: RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A server-side template injection (SSTI) in the Jinja2-based prompt generator of RAGFlow (rag/prompts/generator.py) lets any authenticated user run arbitrary OS commands on the server. The bug is reachable over the network by any registered user (no admin role needed) by creating a Canvas workflow that chains a DuckDuckGo component with an LLM component, triggering template evaluation on attacker-controlled input. Successful exploitation yields full remote code execution as the RAGFlow service account, with read, write, and service-disruption impact on the host. No upstream fix has been published; HarborGuard tracks the advisory and will surface a patched rebuild as soon as one is available.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against RAGFlow images in customer registries and build pipelines, including custom-built images that repackage infiniflow/ragflow at or below 0.24.0.

Available

Triage

Triage is available with the published CVSS v3.1 score of 9.9 (Critical) carried through and re-weighted against each customer's compliance policy, so an internet-exposed RAGFlow instance routes differently from an internal sandbox. Findings land in the appropriate inbox inside each customer org with the SSTI-to-RCE chain and Canvas-workflow reachability called out.

Available

Patch

No upstream fix version exists yet, so no patched rebuild can be produced. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment infiniflow publishes a fixed release; auto-remediation customers will then get the rebuild, regression run, and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the RAGFlow HTTP service over the network (AV:N).
AuthenticationRequired
A low-privilege account is sufficient, and RAGFlow allows open self-registration, so this barrier is trivial in default deployments (PR:L).
Victim interactionNot required
No user has to click or approve anything; the attacker triggers the Canvas workflow themselves (UI:N).
Attack complexityDetail
AC:L: the exploit is reliable and condition-free once the attacker can log in and create a Canvas.

Blast Radius

Executes arbitrary OS commands as the RAGFlow service account, giving full remote code execution on the container or host.
Reads any data the service can access, including ingested documents, embeddings, API keys, and database credentials stored in the environment.
Modifies or deletes RAG corpora, workflow definitions, and persisted application state.
Crashes or hijacks the RAGFlow service, and can be used as a pivot into other services reachable from the container network.

How HarborGuard Handles This

Available on HarborGuard: continuous matching of RAGFlow images against this advisory, with critical-severity routing into each customer's triage inbox. Because no upstream patch exists, the recommended compensating controls are to disable open user registration, restrict the RAGFlow UI and API to trusted networks via network policy or an authenticating proxy, and feature-flag or block the Canvas DuckDuckGo plus LLM component chain until a fix lands. The advisory is re-checked each ingest cycle, and when infiniflow ships a fixed release a patched-image rebuild becomes available automatically; environments with auto-remediation enabled then receive a rebuild, regression run, and a PR opened against affected workloads, with a typical time from fix publication to merged PR around 90 minutes for critical issues.

See how HarborGuard automates this

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

infiniflow / ragflow
<= 0.24.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

https://github.com/infiniflow/ragflow/security/advisories/GHSA-wpg4-h5g2-jxm6