CVE-2026-28797
Received Received - Intake
Server-Side Template Injection in RAGFlow Enables Remote Code Execution

Publication date: 2026-04-03

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates, allowing any authenticated user to execute arbitrary operating system commands on the server. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-22
Generated
2026-05-06
AI Q&A
2026-04-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-28797
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
infiniflow ragflow to 0.24.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting access to the vulnerable components to only fully trusted users and monitoring for any unusual activity that might indicate exploitation attempts.

Additionally, consider disabling or limiting the use of the Agent workflow Text Processing (StringTransform) and Message components that use unsandboxed jinja2.Template rendering of user-supplied templates.

Implement network-level controls to limit exposure of the RAGFlow server and enforce strict authentication and authorization policies.


Can you explain this vulnerability to me?

The vulnerability in RAGFlow versions 0.24.0 and prior is a Server-Side Template Injection (SSTI) issue. It occurs in the Agent workflow's Text Processing (StringTransform) and Message components, which use Python's jinja2.Template without sandboxing to render user-supplied templates. This allows any authenticated user to execute arbitrary operating system commands on the server.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows authenticated users to run arbitrary operating system commands on the server hosting RAGFlow. This could lead to unauthorized access, data theft, data manipulation, service disruption, or complete system compromise.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart