CVE-2025-69286

Name of the Vulnerable Software and Affected Versions RAGFlow versions prior to 0.22.0

Description RAGFlow is a Retrieval-Augmented Generation engine. Versions prior to 0.22.0 utilize an insecure key generation algorithm when creating API keys and beta tokens (assistant/agent share auth). This allows these tokens to be mutually derivable. An attacker obtaining the shared assistant/agent URL can derive the personal API key, gaining full control over the assistant/agent owner's account. The key generation process uses the URLSafeTimedSerializer with predictable inputs.

Recommendations Update to version 0.22.0 or later.