VYPR
← All advisories
Critical severity9.9NVD Advisory· Published May 29, 2026

CVE-2026-45312

CVE-2026-45312

Description

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A Jinja2 template injection in RAGFlow's prompt generator allows authenticated users to achieve remote code execution via a crafted Canvas workflow.

Vulnerability

RAGFlow versions 0.24.0 and earlier contain a server-side template injection (SSTI) vulnerability in the prompt generator at rag/prompts/generator.py. The citation_prompt() function creates an unsandboxed Jinja2 environment and renders user-controlled input from the user_defined_prompts dictionary. This dictionary is populated from <CITATION_GUIDELINES> XML tags in the LLM component's sys_prompt parameter, which is fully controlled by the user via the Canvas DSL. No sandboxing or sanitization is applied, allowing arbitrary Jinja2 template expressions to be executed [1].

Exploitation

An attacker must be an authenticated user (registration is open by default). The exploit involves creating a Canvas workflow with a DuckDuckGo component (to populate retrieval chunks without requiring API keys or embedding models) and an LLM component. To bypass the LLM model validation, the attacker sets up a fake OpenAI-compatible HTTP server that responds with valid streaming and non-streaming responses, allowing a custom model to be saved. The attacker then configures the LLM component's sys_prompt with a malicious Jinja2 template inside <CITATION_GUIDELINES> tags. When the workflow executes, the template is rendered server-side, leading to SSTI and remote code execution [1].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary OS commands on the RAGFlow server. This results in full compromise of the server, including access to all data, credentials, and the ability to pivot to internal networks. The vulnerability is rated critical (CVSS 9.9) due to the low complexity and high impact [1].

Mitigation

As of the advisory publication date (2026-05-29), no patched version has been released. Users are advised to restrict user registration or disable the Canvas workflow feature until a fix is available. The vendor has been notified and a security advisory (GHSA-wpg4-h5g2-jxm6) has been published [1].

References
  1. Server-Side Template Injection in Prompt Generator leads to Remote Code Execution

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Infiniflow/Ragflowinferred2 versions
    <=0.24.0+ 1 more
    • (no CPE)range: <=0.24.0
    • (no CPE)range: <=0.24.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"An unsandboxed Jinja2 environment in `rag/prompts/generator.py` renders user-controlled input from `<CITATION_GUIDELINES>` XML tags without sanitization, enabling server-side template injection."

Attack vector

An authenticated attacker registers a normal user account, creates a Canvas workflow containing a DuckDuckGo component chained to an LLM component, and embeds a malicious Jinja2 template inside a `<CITATION_GUIDELINES>` tag in the LLM's `sys_prompt`. When the workflow is executed, the DuckDuckGo component retrieves web chunks, which triggers `citation_prompt()` to render the attacker-controlled template through an unsandboxed Jinja2 environment, resulting in server-side template injection (SSTI) and arbitrary OS command execution [ref_id=1]. No API keys, sandbox service, or embedding model are required.

Affected code

The vulnerability resides in `rag/prompts/generator.py` at line 185, where an unsandboxed Jinja2 environment is created, and in the `citation_prompt()` function at line 189, which renders user-controlled input through that environment. The `_extract_prompts()` method in `agent/component/llm.py` (lines 262–268) populates the `user_defined_prompts` dict from `<CITATION_GUIDELINES>` XML tags in the LLM component's `sys_prompt` parameter, which the attacker fully controls via the Canvas DSL [ref_id=1].

What the fix does

The advisory does not include a published patch. To remediate the vulnerability, the Jinja2 environment in `rag/prompts/generator.py` must be sandboxed (e.g., using `jinja2.sandbox.SandboxedEnvironment`) to prevent access to dangerous builtins and modules, and user-controlled input should be sanitized or escaped before being passed to the template renderer [ref_id=1].

Preconditions

  • authAttacker must have a valid authenticated user account on the RAGFlow instance (registration is open to anyone)
  • configAttacker must be able to create a Canvas workflow with a DuckDuckGo component and an LLM component
  • networkAttacker must be able to start a fake OpenAI-compatible HTTP server to register a model (if no valid model already exists)
  • inputAttacker controls the sys_prompt parameter of the LLM component via the Canvas DSL

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.