CVE-2025-69286
Unknown Unknown - Not Provided
Insecure Token Generation in RAGFlow Allows Account Takeover

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: GitHub, Inc.

Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mutually derivable. Specifically, both tokens are generated using the same `URLSafeTimedSerializer` with predictable inputs, enabling an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This grants them full control over the assistant/agent owner's account. Version 0.22.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-31
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2026-01-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69286
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ragflow rag 0.22.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-340 The product uses a scheme that generates numbers or identifiers that are more predictable than required.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in RAGFlow versions prior to 0.22.0 involves the use of an insecure key generation algorithm for API keys and beta tokens. Both tokens are generated using the same URLSafeTimedSerializer with predictable inputs, allowing an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This means the attacker can gain full control over the assistant/agent owner's account.

Impact Analysis

If exploited, this vulnerability allows an attacker to derive the personal API key from the shared assistant/agent URL, granting them full control over the affected user's account. This could lead to unauthorized access, manipulation, or misuse of the assistant/agent services and data.

Mitigation Strategies

Upgrade RAGFlow to version 0.22.0 or later, as this version fixes the insecure key generation algorithm vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69286. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart