CVE-2026-24770 Overview
CVE-2026-24770 is a path traversal vulnerability, commonly known as "Zip Slip," affecting RAGFlow, an open-source Retrieval-Augmented Generation (RAG) engine. The vulnerability exists in the MinerU parser component in version 0.23.1 and potentially earlier versions. By exploiting improper filename sanitization during ZIP archive extraction, an attacker can overwrite arbitrary files on the server, ultimately achieving Remote Code Execution (RCE).
Critical Impact
This Zip Slip vulnerability allows unauthenticated remote attackers to overwrite arbitrary files on the server, potentially leading to complete system compromise through Remote Code Execution.
Affected Products
- RAGFlow version 0.23.1
- RAGFlow versions prior to 0.23.1 (potentially affected)
- Systems using the MinerUParser class for ZIP extraction
Discovery Timeline
- 2026-01-27 - CVE CVE-2026-24770 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24770
Vulnerability Analysis
This vulnerability stems from a classic Zip Slip attack pattern (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The MinerUParser class in RAGFlow retrieves and extracts ZIP files from an external source configured via mineru_server_url. The core issue lies in the _extract_zip_no_root function, which processes filenames within the ZIP archive without proper sanitization.
When extracting files from a ZIP archive, the function fails to validate that the resulting file path remains within the intended destination directory. An attacker can craft a malicious ZIP archive containing files with directory traversal sequences (such as ../) in their filenames. When extracted, these files are written outside the intended extraction directory, potentially overwriting critical system files or application components.
Root Cause
The root cause is the absence of filename sanitization in the _extract_zip_no_root extraction logic. The function does not perform path canonicalization or validate that extracted file paths resolve to locations within the designated extraction directory. This allows directory traversal sequences embedded in ZIP entry filenames to escape the extraction boundary.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability through the following attack chain:
- The attacker crafts a malicious ZIP archive containing files with path traversal sequences in their names (e.g., ../../etc/cron.d/malicious or ../../../app/config.py)
- The attacker hosts this malicious ZIP file on a server or manipulates the mineru_server_url to point to the malicious archive
- When RAGFlow's MinerUParser processes the archive, files are extracted to arbitrary locations on the filesystem
- By overwriting application code, configuration files, or system scripts, the attacker achieves Remote Code Execution
The vulnerability mechanism can be understood conceptually: during ZIP extraction, the code retrieves each entry's filename directly from the archive without validating the path. A filename like ../../../../tmp/malicious.sh would result in the file being written far outside the intended extraction directory. For detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2026-24770
Indicators of Compromise
- Unexpected files appearing outside the normal RAGFlow data directories
- Modified system files or application configuration files with recent timestamps
- Evidence of cron jobs or startup scripts that were not legitimately created
- Unusual process execution originating from the RAGFlow application context
Detection Strategies
- Monitor file system activity for writes outside expected extraction directories during ZIP processing operations
- Implement file integrity monitoring (FIM) on critical system directories and application code paths
- Review web server and application logs for suspicious ZIP file requests or unusual MinerU parser activity
- Alert on any file creation events in sensitive directories like /etc/cron.d/, /usr/bin/, or application root directories
Monitoring Recommendations
- Enable detailed logging for the MinerUParser component and ZIP extraction operations
- Configure real-time alerts for file modifications in protected system directories
- Monitor network traffic to and from the mineru_server_url endpoint for anomalies
- Implement SentinelOne's Singularity XDR for behavioral detection of post-exploitation activities following arbitrary file writes
How to Mitigate CVE-2026-24770
Immediate Actions Required
- Update RAGFlow to a version containing commit 64c75d558e4a17a4a48953b4c201526431d8338f or later
- If immediate patching is not possible, restrict network access to the MinerU parser functionality
- Review server file systems for signs of compromise, particularly in system directories
- Implement network segmentation to limit the RAGFlow server's ability to write to sensitive file paths
Patch Information
The vulnerability has been addressed in commit 64c75d558e4a17a4a48953b4c201526431d8338f. This patch adds proper filename sanitization to the ZIP extraction logic, ensuring that extracted files cannot escape the designated extraction directory. Users should update their RAGFlow installations to include this fix. For patch details, see the GitHub Commit.
Workarounds
- Disable or restrict access to the MinerU parser functionality until the patch can be applied
- Configure the application to run with minimal filesystem permissions to limit the impact of arbitrary file writes
- Implement a Web Application Firewall (WAF) rule to inspect and block requests containing malicious ZIP archives
- Use container isolation or chroot environments to constrain the RAGFlow application's filesystem access
# Example: Run RAGFlow in a restricted container environment
docker run --read-only \
--tmpfs /tmp:rw,noexec,nosuid \
--security-opt=no-new-privileges \
ragflow:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
