Platform
python
Component
ragflow
Fixed in
0.23.2
CVE-2026-24770 describes a critical Remote Code Execution (RCE) vulnerability discovered in RAGFlow, an open-source Retrieval-Augmented Generation (RAG) engine. This flaw allows attackers to overwrite arbitrary files on the server, potentially leading to complete system compromise. The vulnerability affects versions of RAGFlow up to and including 0.23.1, and a patch is available in version 0.23.2.
The vulnerability lies within the MinerU parser, specifically in the extractzipnoroot function, which handles ZIP file extraction. An attacker can craft a malicious ZIP archive containing filenames designed to overwrite critical system files or inject malicious code. Successful exploitation allows for arbitrary code execution on the server hosting the RAGFlow instance. This could result in data theft, system takeover, or denial of service. The impact is particularly severe due to the potential for complete system compromise and the ease with which a malicious ZIP file can be created and delivered.
This vulnerability is considered highly exploitable due to the ease of crafting malicious ZIP archives and the potential for remote code execution. While no public exploits have been widely reported, the vulnerability's severity and the ease of exploitation make it a likely target for attackers. It was disclosed on 2026-01-27. The vulnerability shares characteristics with known 'Zip Slip' vulnerabilities, which have been exploited in other applications.
Exploit Status
EPSS
0.92% (76% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade RAGFlow to version 0.23.2 or later, which includes a patch for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting the mineruserverurl to trusted sources, implementing strict file access controls on the server, and validating ZIP archive contents before extraction. Consider using a Web Application Firewall (WAF) to filter potentially malicious ZIP files based on filename patterns. After upgrading, confirm the fix by attempting to extract a test ZIP archive with a specially crafted filename designed to trigger the vulnerability and verifying that the extraction fails safely.
Actualice la biblioteca RAGFlow a una versión posterior a 0.23.1. Esto solucionará la vulnerabilidad Zip Slip. Asegúrese de verificar la integridad de las nuevas versiones antes de implementarlas.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24770 is a critical Remote Code Execution vulnerability in RAGFlow versions up to 0.23.1, allowing attackers to overwrite files via malicious ZIP archives.
You are affected if you are using RAGFlow version 0.23.1 or earlier. Upgrade to 0.23.2 to resolve the issue.
Upgrade RAGFlow to version 0.23.2 or later. If immediate upgrade isn't possible, implement temporary workarounds like restricting external URLs and file access controls.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation make it a likely target. Monitor your systems closely.
Refer to the RAGFlow project's official repository and release notes for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.