# Unauthenticated Access to Tenant Files via `GET /image/` in RAGFlow ## meta platform: huntr program: RAGFlow asset: https://github.com/infiniflow/ragflow date: 2026-02-12 status: DRAFT ```` Repository URL: https://github.com/infiniflow/ragflow Package Manager: pip Version Affected: 0.24.0 Vulnerability Type: Missing Authentication for Critical Function CVSS: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: None - Availability: None Title: Unauthenticated file access via /v1/document/image/ Description: # Description The `GET /v1/document/image/` endpoint in RAGFlow is missing authentication because the `@login_required` decorator is commented out in `api/apps/document_app.py`. The handler takes attacker-controlled `image_id`, splits it into a storage bucket/object name, and fetches the object directly from backend storage (`settings.STORAGE_IMPL.get`). When `image_id` is valid (bucket/object identifiers are known or guessable), the endpoint returns the file contents to any unauthenticated caller. # Proof of Concept RAGFLOW_URL="http://localhost" IMAGE_ID="-" # No Authorization header curl -i "${RAGFLOW_URL}/v1/document/image/${IMAGE_ID}" Expected: `401`/`403`. Actual: `200 OK` and the image/file content. Impact: This vulnerability is capable of allowing unauthenticated users to retrieve tenant-stored files and images when bucket/object identifiers are known, leading to cross-tenant data exposure. Occurrences: - Permalink: https://github.com/infiniflow/ragflow/blob/bc9ed24a8503a0a5013341b63c428169c27ff280/api/apps/document_app.py#L803-L816 Description: `@login_required` is commented out and the endpoint reads arbitrary storage objects by route parameter. References: - https://cwe.mitre.org/data/definitions/306.html — CWE-306 - https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/ — OWASP API2:2023 ````