RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
RAGFlow versions 0.24.0 and earlier contain a critical Server-Side Template Injection (SSTI) vulnerability in the prompt generator component that allows authenticated users to execute arbitrary operating system commands. The vulnerability stems from improper handling of Jinja2 templates, where user-controlled input reaches template rendering without sanitization. This is particularly dangerous because any user can register on a RAGFlow instance, create a Canvas workflow combining DuckDuckGo and LLM components, and trigger the injection to gain complete command execution on the server. Organizations deploying RAGFlow for retrieval-augmented generation tasks face immediate risk of full system compromise, data exfiltration, and lateral movement within their infrastructure.
While this CVE maps to CWE-1336 (Improper Neutralization of Special Elements used in a Template Engine) rather than specific MITRE ATT&CK techniques, Casky's Claude-powered analysis would detect the attack chain through reconnaissance of template injection patterns and code execution indicators. Security practitioners using Casky would observe findings aligned with Execution techniques (T1059 - Command and Scripting Interpreter) and Persistence mechanisms, as the vulnerability allows direct OS command execution. Detection would focus on suspicious Jinja2 variable expansion within prompt generation logs, unusual Canvas workflow configurations combining data retrieval with template processing, and authentication events followed by rapid workflow creation—behavioral patterns indicating exploitation attempts before command execution occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-45312. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation