RAGFlow, the open-source Retrieval-Augmented Generation (RAG) platform developed by Infiniflow, has been found vulnerable to a serious account takeover flaw. Tracked as CVE-2025-48187 and assigned a CVSS score of 9.1, this critical vulnerability exposes users to arbitrary registration, login, and password reset attacks via brute-forced email verification codes.
RAGFlow is a popular AI engine designed for deep document understanding and scalable question-answering systems. With over 52,800 GitHub stars, 5,100 forks, and a thriving open-source community, it powers enterprise-grade LLM apps with features like document retrieval, chunking, and contextual generation.
“Versions 0.18.1 and earlier are vulnerable to an account takeover flaw,” the report explains.
The vulnerability stems from poor handling of email-based verification codes across several endpoints:
- /api/verify-code (used during password reset and login)
- /api/signup (used during registration)
An attacker can brute-force 6-digit verification codes without encountering any form of rate limiting, allowing easy exploitation for:
- Resetting another user’s password
- Creating a new account using someone else’s email
- Logging into existing accounts
The attacker visits the password reset page, enters the victim’s email, and receives a verification code. They then brute-force the code using intercepted requests to /api/verify-code.
“Ultimately, the account takeover is successfully achieved,” the report confirms after bypassing the verification and resetting the password with a crafted POST /api/set-password request.
Similarly, on the registration page:
- The attacker uses the victim’s email to initiate registration.
- Intercepts and manipulates the POST /api/signup request.
- Brute-forces the email verification code.
“There is no rate limiting in place,” the researcher notes. “This indicates that we have successfully achieved arbitrary user registration.”
RAGFlow also allows users to log in with a one-time code, which again uses /api/verify-code. The attacker can repeat the brute-force method here too, leading to unauthorized login without a password.
“This… allows arbitrary user login, leading to full account takeover,” the researcher warns.
This vulnerability has serious implications:
- Compromising sensitive AI or document data in enterprise environments
- Hijacking developer or admin accounts on shared RAGFlow deployments
- Exploiting RAGFlow’s popularity via widespread installations and public demos
At the time of publishing, no patch is available, and the GitHub repository does not indicate rate-limit protections for these endpoints.
