CVE-2025-69286
📋 TL;DR
CVE-2025-69286 is a critical authentication bypass vulnerability in RAGFlow where API keys and beta tokens are generated using the same insecure algorithm with predictable inputs. An attacker who obtains a shared assistant/agent URL can derive the owner's personal API key, gaining full account control. All RAGFlow users running versions before 0.22.0 are affected.
💻 Affected Systems
- RAGFlow
📦 What is this software?
Ragflow by Infiniflow
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover allowing unauthorized access to all assistant/agent data, configurations, and potentially sensitive information processed through the RAG system.
Likely Case
Unauthorized users gaining administrative access to RAGFlow instances, potentially exposing sensitive documents, embeddings, and conversation histories.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized users from accessing shared URLs.
🎯 Exploit Status
Exploitation requires access to a shared assistant/agent URL, but once obtained, deriving the API key is straightforward due to the predictable algorithm.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.22.0
Vendor Advisory: https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7
Restart Required: Yes
Instructions:
1. Backup your RAGFlow data and configurations. 2. Stop the RAGFlow service. 3. Update to version 0.22.0 or later using your deployment method (Docker, Kubernetes, or direct installation). 4. Restart the service. 5. Regenerate all API keys and beta tokens.
🔧 Temporary Workarounds
Disable shared assistant/agent URLs
allTemporarily disable the beta feature that generates shareable assistant/agent URLs to prevent token exposure.
Modify configuration to disable beta sharing features
Network isolation
allRestrict access to RAGFlow instances to trusted networks only.
Configure firewall rules to limit access to RAGFlow ports
🧯 If You Can't Patch
- Rotate all API keys and beta tokens immediately to invalidate potentially compromised credentials.
- Implement strict access controls and monitoring for any shared assistant/agent URLs, logging all access attempts.
🔍 How to Verify
Check if Vulnerable:
Check your RAGFlow version. If it's below 0.22.0, you are vulnerable. Review if any shared assistant/agent URLs have been generated.Check Version:
Check the RAGFlow web interface or deployment configuration for version information.Verify Fix Applied:
After updating to 0.22.0, verify that new API keys and beta tokens are generated using the updated secure method and are no longer mutually derivable.📡 Detection & Monitoring
Log Indicators:
- Unusual API key usage patterns
- Access from unexpected IP addresses using valid API keys
- Multiple failed authentication attempts followed by successful access
Network Indicators:
- Unexpected API requests to sensitive endpoints
- Traffic patterns suggesting enumeration of shared URLs
SIEM Query:
Example: 'source="ragflow" AND (event="api_key_derived" OR event="unauthorized_access")'🔗 References
- https://github.com/infiniflow/ragflow/blob/v0.20.5/api/apps/system_app.py#L214-L215
- https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/__init__.py#L343
- https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/api_utils.py#L378
- https://github.com/infiniflow/ragflow/commit/a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6
- https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7
- https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7
