CVE-2026-24770
CVE ID: CVE-2026-24770
Product: RAGFlow – MinerU ingestion component
Affected Versions: All versions ≤ 0.23.1
Vulnerability Type: Zip Slip (Path Traversal) leading to Arbitrary File Overwrite and Remote Code Execution
Severity: Critical
CVSS v3.1 Score: 9.8 (Critical)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Exploitability: High
Exploit Availability: No fully weaponized public exploit observed; exploitation is trivial due to the well-known nature of the vulnerability class (Zip Slip)
Official Patch / Upgrade Link : Link provided below
Overview
A critical security vulnerability was identified in the MinerU component of RAGFlow that allows remote attackers to achieve arbitrary file overwrite and potentially remote code execution. The issue exists due to improper handling of ZIP archive extraction when processing externally supplied archives. File paths embedded within ZIP entries were not sufficiently validated, allowing crafted filenames to escape the intended extraction directory.
When exploited, this vulnerability allows files to be written anywhere on the filesystem that the RAGFlow process has permission to access. By overwriting application files, configuration files, scripts, or web-accessible resources, an attacker can escalate the impact from file overwrite to full remote code execution.
Root Cause Analysis
The vulnerability is caused by unsafe ZIP extraction logic in the MinerU ingestion workflow. During extraction:
- ZIP entry paths were trusted without canonical path validation.
- Path traversal sequences such as
../or Windows-style..\were not rejected. - Absolute paths were not consistently blocked.
- Symbolic links embedded in archives were not filtered.
- Encrypted ZIP entries were allowed without validation.
As a result, ZIP entries could resolve to filesystem locations outside the intended extraction directory, leading to unrestricted file write operations.
Attack Scenario
- A malicious ZIP archive is prepared containing crafted file paths such as:
../../app/config.py/var/www/html/shell.php
- The archive is supplied to a vulnerable RAGFlow instance via an ingestion workflow that uses MinerU.
- During extraction, files are written outside the expected directory structure.
- Overwritten or newly created files are later executed by the application, web server, or scheduled processes.
- Remote code execution is achieved under the privileges of the RAGFlow service account.
No authentication is required if the ingestion endpoint is exposed or accessible to untrusted sources.
Proof of Concept (Educational Purpose Only)
A practical proof-of-concept for CVE-2026-24770 does not rely on complex exploitation logic. The issue can be reliably triggered using a specially crafted ZIP archive that contains directory traversal sequences or absolute paths within its file entries.
Technical Trigger Condition
The vulnerability is exposed when the ZIP extraction routine:
- Trusts file paths embedded in the ZIP archive
- Does not canonicalize or validate extracted paths
- Does not enforce that extracted files remain within the intended destination directory
PoC ZIP Characteristics
A malicious ZIP archive may include entries such as:
../../tmp/poc.txt../config/settings.yaml/var/www/html/test.php..\..\Windows\Temp\poc.txt(on Windows-based deployments)
These paths, when extracted by a vulnerable MinerU component (≤ 0.23.1), resolve outside the designated extraction directory, resulting in arbitrary file write.
Expected Vulnerable Behavior
When the crafted ZIP is processed:
- The extraction logic writes files to attacker-controlled filesystem locations
- No validation prevents traversal outside the target directory
- Files are created or overwritten with the permissions of the RAGFlow process
This confirms the arbitrary file overwrite condition, which is the core prerequisite for escalation to remote code execution depending on what file is overwritten.
Security Context
Because this vulnerability belongs to the well-known Zip Slip class, exploitation techniques are:
- Widely documented
- Easily reproducible
- Straightforward to validate in test environments
No live exploit or weaponized payload is required to demonstrate impact.
Impact
If successfully exploited, this vulnerability can result in:
- Arbitrary file overwrite
- Application compromise
- Remote code execution
- Data exposure or data destruction
- Persistence mechanisms placed on the host
- Lateral movement within the environment if credentials or scripts are overwritten
The impact is constrained only by the file system permissions of the RAGFlow process.
MITRE Mapping
CWE:
- CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
MITRE ATT&CK (Defensive Mapping):
- T1190 – Exploit Public-Facing Application
- T1203 – Exploitation for Client Execution
- T1105 – Ingress Tool Transfer (via malicious archive delivery)
Detection Strategy
Relevant Log Sources
The following log sources should be monitored to detect exploitation attempts or post-exploitation activity:
- RAGFlow application logs (ZIP ingestion and extraction events)
- Web server or API gateway logs (upload or fetch of ZIP archives)
- Host-based audit logs (file creation/modification events)
- EDR or Sysmon telemetry
- Container runtime logs (if deployed in containers)
- File integrity monitoring systems
Behavioral Indicators of Compromise
- ZIP extraction errors involving path validation or symbolic links
- Unexpected file creation outside designated ingestion directories
- New executable or script files appearing in web roots or application directories
- File modifications occurring immediately after archive ingestion
- Unplanned application restarts or crashes following ingestion events
- Requests to newly created endpoints or scripts
Splunk Detection Rules
1. Suspicious ZIP Upload Followed by File Writes
index=web_logs (uri="*.zip" OR uri="*mineru*")
| eval event_time=_time
| join event_time
[ search index=host_audit action="file_create"
| eval file_time=_time ]
| where abs(event_time - file_time) < 300
| where like(file_path, "%../%") OR like(file_path, "/var/www/%") OR like(file_path, "/etc/%")
| table event_time, src_ip, uri, file_path, user
2. RAGFlow Process Writing Outside Expected Directory
index=endpoint_logs process_name="ragflow"
| where action IN ("file_create","file_modify")
| where NOT like(file_path, "/opt/ragflow/data/%")
| table _time, host, process_name, file_path, user
3. Detection of Suspicious Script Drops
index=endpoint_logs
| where action="file_create"
| where file_extension IN ("php","py","sh","js")
| where like(file_path, "/var/www/%") OR like(file_path, "/opt/%")
| table _time, host, file_path, user
Mitigation and Remediation
- Immediate upgrade or patching is strongly recommended using the official fix.
- Access to MinerU ingestion endpoints should be restricted to trusted sources.
- The RAGFlow service should run under a least-privileged account.
- File system permissions should prevent write access to sensitive directories.
- Archive inspection should be enforced prior to extraction where possible.
- File integrity monitoring should be enabled for critical directories.
Patch Information
The vulnerability has been addressed by hardening the ZIP extraction logic. The fix enforces strict validation of archive entries, blocks path traversal and absolute paths, rejects symbolic links and encrypted ZIP entries, and ensures extracted files remain within the intended directory.
Official Patch Link:
https://github.com/infiniflow/ragflow/commit/64c75d558e4a17a4a48953b4c201526431d8338f
Final Takeaway
CVE-2026-24770 represents a high-risk vulnerability due to its simplicity, severity, and potential impact. While no widespread exploit has been observed, the vulnerability class is well understood and easily abused. Systems running affected versions should be treated as exposed until patched, and defensive monitoring should be implemented to detect exploitation attempts or post-compromise activity.
Early remediation and proactive detection are critical to preventing full system compromise.
