An SSTI vulnerability in RAGFlow allows authenticated users to achieve remote code execution via malicious prompt generation workflows.

The prompt generator (rag/prompts/generator.py) contains a Jinja2 template injection flaw. Authenticated users can create a specially crafted workflow, such as a Canvas workflow with a DuckDuckGo + LLM component chain, to trigger the injection and execute arbitrary OS commands.

With a CVSS score of 9.9, this vulnerability is critical. While it requires authentication, the ability for any standard user to gain remote code execution on the server poses a significant threat to the platform's security, potentially leading to total system compromise.

Immediate Action: Update to the latest version of RAGFlow.

Proactive Monitoring: Monitor server-side logs for unusual process creation or shell command activity originating from the RAGFlow service.

Compensating Controls: Enforce strict controls on user permissions and limit the ability of regular users to create complex workflows or access sensitive prompt generation features.

Public Exploit Available: None

Organizations should update their RAGFlow installation to the latest available version immediately. Additionally, audit all user-created workflows for suspicious patterns that might indicate an attempt to leverage this injection point.