CVE-2026-58579
Received Received - Intake

Stored XSS in RAGFlow Agent Pipeline via Unsanitized Node Names

Vulnerability report for CVE-2026-58579, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

RAGFlow before 0.26.3 stores an agent pipeline (DSL) node name without sanitization: the agent update endpoint normalizes the submitted DSL via normalize_dsl, which only performs JSON serialization validation and preserves the node name verbatim. The dataflow-result web UI then renders that name into the "Rerun from current step" confirmation modal via dangerouslySetInnerHTML, and the i18next configuration sets escapeValue:false, so the value is inserted into the DOM without HTML encoding. An authenticated workspace user who can create or edit an agent can inject arbitrary JavaScript that executes in the session of another workspace member who opens the dataflow result and clicks rerun, enabling session/token theft and account takeover across the user trust boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
infiniflow ragflow to 0.26.3 (exc)
ragflow ragflow to 0.26.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58579 is a stored cross-site scripting (XSS) vulnerability in RAGFlow versions before 0.26.3. It occurs because agent pipeline node names are stored without sanitization and later rendered in the web UI's "Rerun from current step" confirmation modal using dangerouslySetInnerHTML. The i18next configuration disables HTML escaping, so malicious JavaScript embedded in node names executes in the browsers of other workspace users who view the modal and click rerun.

An authenticated user with permission to create or edit agents can inject arbitrary JavaScript code into the node name. When another user opens the dataflow result and triggers the rerun modal, the injected script runs in their session, potentially leading to session or token theft and account takeover.

Impact Analysis

This vulnerability can lead to the execution of arbitrary JavaScript in the browser sessions of other workspace members. Specifically, it enables attackers to steal session tokens or authentication credentials.

As a result, an attacker can perform account takeover attacks across user trust boundaries within the workspace, compromising user accounts and potentially gaining unauthorized access to sensitive data or functionality.

Mitigation Strategies

To mitigate the CVE-2026-58579 vulnerability, you should upgrade RAGFlow to version 0.26.3 or later, where the issue has been fixed.

The fix involves sanitizing the agent pipeline node names before rendering them in the "Rerun from current step" confirmation modal using the DOMPurify library, which strips unsafe HTML tags and attributes to prevent script execution.

Additional mitigation steps include enabling HTML escaping globally in the i18next configuration or stripping HTML from node names during server-side processing to prevent injection of malicious scripts.

Ensure that only authenticated and authorized users can create or edit agents, as the vulnerability requires such permissions to inject malicious payloads.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58579. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart