PatchSiren cyber security CVE debrief
CVE-2026-45312 infiniflow CVE debrief
A critical server-side template injection (SSTI) vulnerability in RAGFlow's prompt generator enables authenticated remote code execution. The flaw resides in rag/prompts/generator.py where Jinja2 template rendering processes attacker-controlled input without sufficient sandboxing. Any authenticated user—including self-registered accounts—can exploit this by crafting a Canvas workflow that chains DuckDuckGo search with an LLM component, injecting malicious template syntax that escapes to arbitrary OS command execution. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects network attackability, low complexity, low privileges required, no user interaction, and changed scope with complete confidentiality, integrity, and availability impact. The CWE-1336 classification indicates improper neutralization of special elements used in a template engine. This vulnerability affects RAGFlow version 0.24.0 and earlier. The NVD entry carries a 'Deferred' status as of the June 2, 2026 modification. No known exploitation in ransomware campaigns has been cataloged in CISA KEV.
- Vendor
- infiniflow
- Product
- ragflow
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-06-02
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-06-02
Who should care
Organizations running RAGFlow instances with self-registration enabled or multi-tenant deployments where untrusted users can create Canvas workflows. Security teams responsible for AI/ML infrastructure and RAG pipeline security should prioritize patching and access control reviews.
Technical summary
The RAGFlow open-source RAG engine contains a server-side template injection vulnerability in its prompt generation component (rag/prompts/generator.py). Jinja2 templates are rendered with insufficient input sanitization, allowing template syntax to reach the engine. An authenticated attacker constructs a Canvas workflow combining DuckDuckGo search and LLM components to deliver a payload that escapes template context and executes operating system commands on the host server. The vulnerability requires only low-privilege authenticated access, with no user interaction needed, and the scope change indicates impact beyond the attacker's original security context.
Defensive priority
critical
Recommended defensive actions
- Upgrade RAGFlow to a version newer than 0.24.0 once a patched release is available from the project maintainers
- Restrict or disable self-service user registration until patching is complete to reduce the attack surface from low-privilege authenticated accounts
- Review and restrict Canvas workflow permissions, particularly for components that interact with external search services and LLM chains
- Implement network segmentation to limit RAGFlow server egress and lateral movement opportunities in case of compromise
- Audit existing Canvas workflows for suspicious template syntax or unexpected external command execution indicators
- Apply principle of least privilege to RAGFlow service accounts and container runtime environments
- Monitor for anomalous process spawning from the RAGFlow application context as a detection control for successful exploitation
Evidence notes
Vulnerability description sourced from NVD modified feed and GitHub Security Advisory GHSA-wpg4-h5g2-jxm6. CVSS vector and CWE-1336 attribution confirmed via NVD source item metadata. Attack path details (Canvas workflow, DuckDuckGo+LLM chain, authenticated user registration) derived from official CVE description. Vendor attribution remains unconfirmed in source data ('Unknown Vendor' with review flag).
Official resources
-
CVE-2026-45312 CVE record
CVE.org
-
CVE-2026-45312 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29