Security researchers at ZeroPath have identified an unpatched vulnerability in RAGFlow 0.24 that allows low-privilege authenticated users to execute arbitrary code on affected systems. The flaw specifically impacts RAGFlow instances configured to use Infinity for chunk storage.
RAGFlow, a highly popular project for Retrieval Augmented Generation (RAG), currently holds over 77,000 stars on GitHub. While many users keep the service on internal networks, Shodan data reveals at least 1,91-8 instances are directly accessible on the public internet.
Researchers discovered the vulnerability within the software's re-ranking phase. The flaw stems from the use of the Python `eval()` function during the retrieval process, which can execute any Python code if the underlying data is corrupted.
Disclosure and remediation
ZeroPath filed an initial security report on March 3, 2026, but stated they were unable to reach project maintainers via email for several weeks.
"After a month, we decided that the most effective way to get the issue fixed was to submit a patch ourselves," ZeroPath researchers wrote in a blog post. The team has since submitted a pull request to the project's GitHub repository to address the issue.
Because the fix was submitted publicly, researchers warned that attackers monitoring the project may now be aware of the exploit. ZeroPath released the findings to help defenders implement countermeasures before a formal patch is fully integrated.
No official patch is currently live for all users, though the researchers expect a resolution soon following their submitted pull request.
