CVE-2025-69286
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-69286
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-69286.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-69286
- Aliases
-
- GHSA-9j5g-g4xm-57w7
- Published
- 2025-12-31T21:52:54.304Z
- Modified
- 2026-01-08T06:45:34.091697Z
- Severity
-
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- RAGFlow has Predictable Token Generation Leading to Authentication Bypass Vulnerability
- Details
-
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mutually derivable. Specifically, both tokens are generated using the same
URLSafeTimedSerializerwith predictable inputs, enabling an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This grants them full control over the assistant/agent owner's account. Version 0.22.0 fixes the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69286.json", "cwe_ids": [ "CWE-340" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69286.json
- https://github.com/infiniflow/ragflow/blob/v0.20.5/api/apps/system_app.py#L214-L215
- https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/__init__.py#L343
- https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/api_utils.py#L378
- https://github.com/infiniflow/ragflow/commit/a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6
- https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7
- https://nvd.nist.gov/vuln/detail/CVE-2025-69286
Affected packages
Git / github.com/infiniflow/ragflow
Affected ranges
- Type
- GIT
- Repo
- https://github.com/infiniflow/ragflow
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed