What is the CVSS score of CVE-2026-45312?

CVE-2026-45312 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of RAGFlow are affected by CVE-2026-45312?

RAGFlow versions 0.24.0 and earlier contain a critical server-side template injection vulnerability allowing authenticated users to execute arbitrary operating system commands on the hosting…

How to fix or mitigate CVE-2026-45312?

Within 24 hours: Identify all RAGFlow deployments; disable account self-registration; restrict network access to RAGFlow interfaces to trusted systems only; assess whether temporary service shutdown is operationally acceptable. Within 7 days: Implement network segmentation to isolate RAGFlow hosts from sensitive systems; deploy command execution monitoring with alerting; review access logs for exploitation indicators. Within 30 days: Maintain interim mitigations; monitor vendor advisories for patch release; prepare and test upgrade procedures for immediate deployment when patch becomes available.

RAGFlow CVE-2026-45312

EUVD-2026-33284 CRITICAL

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2026-05-29 GitHub_M

Ssti Code Injection

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 29, 2026 - 13:20 vuln.today

DescriptionNVD

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI.

AnalysisAI

Server-side template injection in RAGFlow 0.24.0 and earlier allows any authenticated user to execute arbitrary operating system commands on the host through the Jinja2-based prompt generator (rag/prompts/generator.py). Because RAGFlow installations commonly permit open self-registration, the practical barrier is minimal: an attacker registers an account, builds a Canvas workflow chaining a DuckDuckGo retrieval node with an LLM node, and triggers the SSTI to break out of the Jinja2 sandbox. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Discover exposed RAGFlow UI

Delivery

Self-register low-privileged account

Exploit

Create Canvas with DuckDuckGo + LLM chain

Execution

Inject Jinja2 sandbox-escape payload

Persist

Trigger prompt generator render

Impact

Execute OS commands as service user

Access

Discover exposed RAGFlow UI

Delivery

Self-register low-privileged account

Exploit

Create Canvas with DuckDuckGo + LLM chain

Execution

Inject Jinja2 sandbox-escape payload

Persist

Trigger prompt generator render

Impact

Execute OS commands as service user

Vulnerability AssessmentAI

Exploitation	The attacker needs (1) network reachability to the RAGFlow web interface, (2) a low-privileged authenticated account - trivially obtained where the default self-registration flow is enabled, which the advisory explicitly calls out, and (3) the ability to create or edit a Canvas workflow that chains a DuckDuckGo component with an LLM component so that attacker-controlled text reaches the Jinja2 prompt renderer in rag/prompts/generator.py. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals converge on high real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker browses to an internet-exposed RAGFlow instance, self-registers a normal account, and creates a Canvas workflow chaining a DuckDuckGo retrieval component into an LLM component. By embedding a Jinja2 sandbox-escape payload in the prompt or component configuration that reaches rag/prompts/generator.py, the attacker forces template rendering to evaluate Python expressions that invoke os.system, gaining arbitrary command execution as the RAGFlow service account on the underlying host.
Remediation	Patch available per vendor advisory GHSA-wpg4-h5g2-jxm6 (https://github.com/infiniflow/ragflow/security/advisories/GHSA-wpg4-h5g2-jxm6); upgrade to the fixed release identified there as soon as it is confirmed (the input data does not enumerate the exact fix version, so verify against the advisory before deploying). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all RAGFlow deployments; disable account self-registration; restrict network access to RAGFlow interfaces to trusted systems only; assess whether temporary service shutdown is operationally acceptable. …

Threat intelligence, references, and detailed analysis are available after sign-in.