Vulnerability  ·  2026-07-03

RAGFlow — Stored XSS via Unsanitised Agent Pipeline Node Name in Dataflow Result UI (CVE-2026-58579)

VulnerabilityMedium impactGlobalCVE-2026-58579
CVE-2026-58579 (CVSS 5.4 Medium) was published to NVD on 2 July 2026. RAGFlow before 0.26.3 stores agent pipeline DSL node names without HTML sanitisation. The agent update endpoint normalises the DSL for JSON validity but preserves node names verbatim. The dataflow result web UI then renders those names as raw HTML, creating a stored XSS condition confirmed in a GitHub issue (infiniflow/ragflow#16507).
RAGFlow is a widely used open-source enterprise RAG platform. A stored XSS in the agent pipeline UI allows an attacker with create/update pipeline access to execute arbitrary JavaScript in any other user's browser session — including admin sessions — enabling session hijacking, credential theft, or further lateral movement within the RAGFlow instance. In multi-tenant or team deployments, one compromised pipeline author can impact all users viewing agent results.
An authenticated user submits a crafted DSL via the agent update endpoint (PUT /v1/agents/<agent_id>). The normalize_dsl() handler performs only JSON structure validation and preserves node names verbatim. When any user views the dataflow result page, hooks.ts renders the node name as raw HTML, executing the injected script in their browser session.
RAGFlow (infiniflow/ragflow) < 0.26.3
Upgrade RAGFlow to version 0.26.3 or later. Patch commit: https://github.com/infiniflow/ragflow/commit/572f1ea9f4eba6a60e64f7437dee60aa1c0913f1
Sources
NVD — CVE-2026-58579GitHub Issue infiniflow/ragflow#16507 — Stored XSS via Agent Pipeline Node NameRAGFlow patch commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →