Alexanderbarabanov

**Name of the Vulnerable Software and Affected Versions** RAGFlow versions <= 0.13.0 **Description** RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability, which may lead to unauthorized cross-tenant access. This can result in listing tenant user accounts and adding user accounts into other tenants. The issue can be exploited via API endpoints such as "GET /<tenant id>/user/list" and "POST /<tenant id>/user". **Recommendations** For RAGFlow versions <= 0.13.0, users are advised to reach out to the project maintainers to coordinate a fix, as this issue has not yet been patched. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "GET /<tenant id>/user/list" and "POST /<tenant id>/user", to minimize the risk of exploitation.