CVE-2025-69286 RAGFlow has Predictable Token Generation Leading to Authentication Bypass Vulnerability

🗓️ 31 Dec 2025 21:52:54Reported by GoogleType

osv

osv🔗 osv.dev👁 4 Views

RAGFlow before 0.22.0 used insecure key generation enabling API key and share token derivation.

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2025-69286	1 Jan 202601:12	–	circl
CNNVD	RAGFlow 安全漏洞	31 Dec 202500:00	–	cnnvd
CVE	CVE-2025-69286	31 Dec 202521:52	–	cve
Cvelist	CVE-2025-69286 RAGFlow has Predictable Token Generation Leading to Authentication Bypass Vulnerability	31 Dec 202521:52	–	cvelist
EUVD	EUVD-2025-206092	31 Dec 202521:52	–	euvd
NVD	CVE-2025-69286	31 Dec 202522:15	–	nvd
Positive Technologies	PT-2025-54469	31 Dec 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-69286	1 Jan 202622:28	–	redhatcve
Vulnrichment	CVE-2025-69286 RAGFlow has Predictable Token Generation Leading to Authentication Bypass Vulnerability	31 Dec 202521:52	–	vulnrichment

Source	Link
github	www.github.com/infiniflow/ragflow/blob/v0.20.5/api/apps/system_app.py
github	www.github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/__init__.py
github	www.github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/api_utils.py
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2025/69xxx/CVE-2025-69286.json
github	www.github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-69286
github	www.github.com/infiniflow/ragflow/commit/a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6

10 Apr 2026 05:35Current

6.8Medium risk

Vulners AI Score6.8

CVSS 49.3

EPSS0.00492

RagFlow insecure key generation share token derivation authentication bypass version 0.22.0