Skip to main content

RAGFlow CVE-2026-58579

| EUVDEUVD-2026-41421 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 VulnCheck GHSA-73vg-2j49-cmcr
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-delivered stored XSS requires low-privilege authentication (PR:L) and victim interaction (UI:R); scope change (S:C) reflects cross-user session hijack with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 20:37 vuln.today
CVSS changed
Jul 02, 2026 - 20:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)

DescriptionCVE.org

RAGFlow before 0.26.3 stores an agent pipeline (DSL) node name without sanitization: the agent update endpoint normalizes the submitted DSL via normalize_dsl, which only performs JSON serialization validation and preserves the node name verbatim. The dataflow-result web UI then renders that name into the "Rerun from current step" confirmation modal via dangerouslySetInnerHTML, and the i18next configuration sets escapeValue:false, so the value is inserted into the DOM without HTML encoding. An authenticated workspace user who can create or edit an agent can inject arbitrary JavaScript that executes in the session of another workspace member who opens the dataflow result and clicks rerun, enabling session/token theft and account takeover across the user trust boundary.

AnalysisAI

Stored XSS in RAGFlow before 0.26.3 enables cross-user JavaScript execution through unsanitized agent pipeline node names rendered in a confirmation modal. An authenticated workspace member injects a payload into a DSL node name via the agent update endpoint; when a different workspace member opens the dataflow result and clicks 'Rerun from current step,' the payload executes in their browser, enabling session token theft and account takeover across the workspace trust boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker authenticates as workspace member
Delivery
Craft agent DSL node name with XSS payload
Exploit
Save agent via update endpoint (normalize_dsl preserves payload verbatim)
Install
Victim opens dataflow result view for compromised agent
C2
Victim clicks 'Rerun from current step'
Execute
Modal renders payload via dangerouslySetInnerHTML with escapeValue:false
Impact
Steal session token or perform authenticated actions as victim

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid RAGFlow account with workspace membership and permission to create or edit agent pipelines - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium) appropriately reflects the dual constraints of PR:L (authenticated attacker) and UI:P (victim must interact with the modal), which together limit opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious RAGFlow workspace member crafts an agent pipeline and sets a DSL node name to a JavaScript payload designed to exfiltrate the victim's session token or API key. When a co-worker opens the dataflow result view for that agent and clicks the 'Rerun from current step' button, the confirmation modal renders the node name unsanitized via dangerouslySetInnerHTML, executing the payload in the victim's browser and transmitting their credentials to the attacker. …
Remediation Upgrade RAGFlow to version v0.26.3 or later, which resolves the vulnerability via commit 572f1ea9f4eba6a60e64f7437dee60aa1c0913f1 merged through PR #16516 (https://github.com/infiniflow/ragflow/pull/16516); the release is available at https://github.com/infiniflow/ragflow/releases/tag/v0.26.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-12433 CRITICAL POC
9.8 Mar 20

A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. Rated critical severity (CVSS 9

CVE-2026-24770 CRITICAL POC
9.8 Jan 27

Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary fil

CVE-2024-12450 CRITICAL POC
9.8 Mar 20

In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities.

CVE-2025-27135 HIGH POC
8.9 Feb 25

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Rated high severity (CVSS 8.9), this vulnerabilit

CVE-2024-10131 HIGH POC
8.8 Oct 19

The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulne

CVE-2025-25282 HIGH POC
8.1 Feb 21

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. Rated high s

CVE-2024-12779 HIGH POC
7.5 Mar 20

A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. Rated high severity (CVS

CVE-2024-53450 HIGH POC
7.5 Dec 09

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents

CVE-2024-12880 MEDIUM POC
6.5 Mar 20

A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data query

CVE-2024-12871 MEDIUM POC
5.4 Mar 20

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowl

CVE-2025-48187 CRITICAL POC
9.1 May 17

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against

CVE-2024-12869 MEDIUM POC
4.3 Mar 20

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view anot

Share

CVE-2026-58579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy