RAGFlow Insecure Direct Object Reference Vulnerability Leading to Unauthorized Cross-Tenant Access

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in RAGFlow, an open-source Retrieval-Augmented Generation engine. This vulnerability allows an authenticated user to gain unauthorized access to user accounts in other tenants. By exploiting this flaw, a user can list accounts or add users to different tenant environments. The issue arises because the application does not properly validate tenant IDs in API requests, enabling cross-tenant data manipulation.

Impact

Exploitation of this vulnerability could result in unauthorized access to user accounts across different tenants, allowing for account enumeration and unauthorized user management actions.

Reproduction

To reproduce this vulnerability, an authenticated user can send requests to the user management endpoints of a different tenant by including a tenant ID that they do not belong to. This can be done using a tool like Burp Suite to intercept and modify API requests.

Remediation

Users are advised to validate tenant IDs in API requests to ensure that the requesting user has the appropriate permissions for the specified tenant. This validation should be applied to the user management endpoints.