infiniflow RAGFlow Partial Account Takeover Vulnerability via Insecure Data Querying

A vulnerability in infiniflow RAGFlow version 0.13.0 allows for partial account takeover through insecure data querying related to tenant IDs. Users with access to multiple tenants can manipulate their tenant access to query and retrieve API tokens from other tenants. This issue affects several endpoints, including token management and API token deletion. Exploitation of this vulnerability enables access to other tenants' API tokens, allowing actions to be performed on their behalf and access to their data.

Impact

Exploitation of this vulnerability allows an attacker to access API tokens from other tenants, perform actions on behalf of those tenants, and access their data.

Reproduction

To reproduce this vulnerability, log in as a user with access to multiple tenants. Invite another user to your tenant, then log into that user's account and check the API token list, which will be empty. After deleting the user's access to their own tenant, the user can access the inviting user's tenant and retrieve API tokens from there. This can be done using the token list endpoint or the API management endpoints. A video demonstration of this process is available.