CVE-2025-69286 — RAGFlow Authentication Breakdown Allows API Key Derivation from Shared Links

Aegiron 6 mins0

Vulnerability Overview

  • CVE ID: CVE-2025-69286
  • Product: RAGFlow
  • Affected Versions: All versions prior to 0.22.0
  • Fixed Version: 0.22.0
  • Vulnerability Class: Broken Authentication, Cryptographic Weakness
  • Attack Vector: Remote / Network
  • Privileges Required: None
  • User Interaction: None

Severity & Risk Summary

  • CVSS v3.1 Base Score: 9.6 (Critical)
  • Severity: Critical
  • Exploitability: High (logic-based, no brute force)
  • Exploit Availability: Feasible without custom tooling
  • Blast Radius: Full tenant / account compromise

This vulnerability completely collapses the trust boundary between shared access and owner-level credentials.

Executive Summary

RAGFlow’s token architecture unintentionally created a one-way trust inversion: a low-privilege, externally shareable token could be transformed into a high-privilege, private credential.

From a security perspective, this is worse than credential leakage because:

  • The owner never exposes their API key
  • There is no brute-force or guessing activity
  • Compromise appears as legitimate access in logs

The attack leverages design-level cryptographic coupling, making traditional perimeter defenses ineffective.

Technical Breakdown

Token Lifecycle Weakness

In affected versions, RAGFlow treated tokens as:

  • Signed data blobs rather than credentials
  • Stateless artifacts instead of security boundaries

Key weaknesses:

  • No token purpose binding (API vs Share)
  • No audience claim
  • No token scope enforcement
  • No asymmetric derivation

As a result, tokens that should have been:

“Valid only for viewing a shared assistant”

Were effectively:

“Alternate encodings of the same secret identity”

Why Time-Based Serialization Made It Worse

URLSafeTimedSerializer introduces:

  • Timestamp tolerance windows
  • Backward compatibility for token validation

This means:

  • Even expired or near-expiry tokens can sometimes be replayed
  • Token regeneration attempts are forgiving
  • Attackers can test derivations without triggering errors

This increases exploit reliability and reduces noise.

Abuse in Real-World Environments

SaaS / Multi-Tenant Risk

  • One compromised share link = entire tenant exposed
  • Lateral movement possible if assistants are reused across teams

Supply Chain Risk

  • Shared assistants embedded in:
    • Documentation portals
    • Customer-facing demos
    • Internal knowledge bases

Attackers do not need to target users directly — they target shared workflows.

Extended Attack Chain

  1. Passive discovery of shared assistant URL
  2. Offline token decoding (no traffic generated)
  3. API key derivation performed locally
  4. Authenticated API access begins
  5. Attacker blends in with normal usage patterns
  6. Optional:
    • Key rotation
    • Persistence via new assistants
    • Data exfiltration over time

This is a low-and-slow compromise, ideal for stealthy attackers.

Advanced Detection Opportunities

Indicators of Compromise (IoCs)

  • API key usage without:
    • UI session
    • MFA challenge
    • API key creation audit event
  • API keys suddenly used with:
    • Elevated endpoint access
    • Configuration or admin routes
  • Multiple assistants modified in short timeframes

Sigma Rule – Privilege Escalation via API Key

title: RAGFlow Privilege Escalation via Derived API Key
id: cve-2025-69286-priv-esc
status: experimental
description: Detects API key activity accessing privileged endpoints without prior admin authentication
author: Security Research
logsource:
  category: application
  product: ragflow
detection:
  selection:
    uri|contains:
      - "/api/v1/admin"
      - "/api/v1/assistants/update"
      - "/api/v1/settings"
  condition: selection
level: high

Logging Gaps to Be Aware Of

Many affected deployments lack:

  • Token lineage tracking
  • Correlation between share tokens and API keys
  • Immutable audit trails

This means post-incident forensics may be incomplete unless logging was already mature.

Threat Modeling Perspective

This vulnerability maps to:

  • Confused Deputy Problem
  • Insecure Direct Object Reference (logical form)
  • Credential Material Reuse

It demonstrates why cryptographic correctness ≠ security correctness.

Hardening Recommendations Beyond the Patch

Even after upgrading:

  • Enforce short-lived share tokens
  • Monitor assistant sharing frequency
  • Restrict API key scopes
  • Alert on cross-token behavior

Security teams should treat share tokens as externally exposed secrets, not convenience links.

Official Patch

The issue is fully resolved in RAGFlow version 0.22.0.

Official patch link:
https://github.com/infiniflow/ragflow/releases/tag/v0.22.0

Final Analyst Assessment

CVE-2025-69286 is a high-impact identity flaw that bypasses traditional defenses because it abuses valid cryptographic behavior used incorrectly.

This vulnerability is especially dangerous in:

  • AI platforms
  • Knowledge systems
  • Multi-user RAG deployments

Any environment that exposed assistant share links should assume potential historical compromise and respond accordingly.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.