CVE-2025-69286
Insecure Token Generation in RAGFlow Allows Account Takeover
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ragflow | rag | 0.22.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-340 | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in RAGFlow versions prior to 0.22.0 involves the use of an insecure key generation algorithm for API keys and beta tokens. Both tokens are generated using the same URLSafeTimedSerializer with predictable inputs, allowing an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This means the attacker can gain full control over the assistant/agent owner's account.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to derive the personal API key from the shared assistant/agent URL, granting them full control over the affected user's account. This could lead to unauthorized access, manipulation, or misuse of the assistant/agent services and data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade RAGFlow to version 0.22.0 or later, as this version fixes the insecure key generation algorithm vulnerability.