Cyber Posture

CVE-2026-28797

HighPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates,…

more

allowing any authenticated user to execute arbitrary operating system commands on the server. At time of publication, there are no publicly available patches.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the improper input validation (CWE-20) by requiring validation of user-supplied templates to prevent SSTI exploitation leading to OS command injection in RAGFlow's StringTransform and Message components.

SI-2 Flaw Remediation good match
preventrecover

Mandates identification, reporting, and timely remediation of the SSTI flaw in RAGFlow v0.24.0 and prior, including applying patches when available to eliminate the vulnerability.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the RAGFlow server process and authenticated user accounts, limiting the scope and impact of arbitrary OS commands executed via SSTI.

Security SummaryAI

CVE-2026-28797 is a Server-Side Template Injection (SSTI) vulnerability in RAGFlow, an open-source Retrieval-Augmented Generation (RAG) engine. It affects versions 0.24.0 and prior, specifically in the Agent workflow's Text Processing (StringTransform) and Message components. These components render user-supplied templates using Python's unsandboxed jinja2.Template, enabling template injection that leads to arbitrary operating system command execution on the server. The vulnerability is associated with CWEs-20 (Improper Input Validation), CWE-78 (OS Command Injection), CWE-94 (Code Injection), and CWE-1336 (Incorrect Handling of Shared Resources), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Any authenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants attackers the ability to execute arbitrary OS commands on the affected server, potentially leading to full system compromise, data theft, or further lateral movement, given the high impact on confidentiality, integrity, and availability.

The GitHub security advisory (GHSA-vvwj-fvwh-4whx) confirms that, at the time of publication, no publicly available patches exist for this issue.

As a RAG engine, RAGFlow has relevance to AI/ML deployments, where open-source tools for retrieval-augmented generation are commonly used in production environments handling sensitive data. No real-world exploitation has been reported in available information.

Details

CWE(s)
CWE-20CWE-78CWE-94CWE-1336

Affected Products

infiniflow
ragflow
≤ 0.24.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

SSTI in network-accessible Python/Jinja2 web app directly enables remote exploitation of public-facing application (T1190) leading to arbitrary OS command execution via Python interpreter (T1059.006) and Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References