CVE-2024-12880 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting infiniflow/ragflow version RAGFlow-0.13.0. The root cause lies in insecure handling of tenant IDs within the application’s API endpoints, specifically /v1/system/token_list, /v1/system/new_token, /v1/api/token_list, /v1/api/new_token, and /v1/api/rm. Users who have legitimate access to multiple tenants can manipulate tenant identifiers in API requests to access API tokens belonging to other tenants. This flaw allows attackers to partially take over accounts by obtaining API tokens that grant access to tenant-specific resources and data. The vulnerability does not require user interaction but does require some level of privileges (PR:L), meaning the attacker must already have access to at least one tenant account. The CVSS v3.0 score is 8.1 (high severity) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, indicating network exploitability with low attack complexity, no user interaction, and significant confidentiality and availability impacts but no integrity impact. No patches or known exploits are currently reported, but the vulnerability poses a serious risk in multi-tenant environments where tenant isolation is critical. Attackers exploiting this vulnerability can access sensitive API tokens, perform unauthorized actions on behalf of other tenants, and potentially disrupt service availability. The issue highlights the importance of strict tenant ID validation and access control enforcement in multi-tenant SaaS or cloud platforms.

For European organizations, this vulnerability can lead to unauthorized access to sensitive API tokens across tenant boundaries, resulting in partial account takeover and unauthorized actions within affected applications. Confidentiality is severely impacted as attackers can access data belonging to other tenants, potentially exposing sensitive or regulated information. Availability is also affected since attackers can perform disruptive actions using stolen tokens. This is particularly critical for organizations operating in regulated sectors such as finance, healthcare, and government, where data isolation and tenant separation are mandatory. Multi-tenant cloud service providers and SaaS platforms using infiniflow/ragflow are at risk of cross-tenant data breaches, which could lead to compliance violations under GDPR and other data protection laws. The vulnerability could also damage trust and lead to financial and reputational losses. Given the network-based exploitability and low complexity, attackers with limited privileges can escalate their access, increasing the threat surface for European enterprises relying on this software.

1. Immediately implement strict tenant ID validation on all API endpoints to ensure users can only access tokens and data for tenants they are authorized for. 2. Enforce robust access control checks server-side, independent of client-supplied tenant identifiers. 3. Monitor and audit API token usage and access patterns to detect anomalous cross-tenant access attempts. 4. Isolate tenant data and tokens in separate storage or namespaces to minimize risk of unauthorized access. 5. If possible, restrict multi-tenant access privileges to only those users who absolutely require it, reducing the attack surface. 6. Apply network-level segmentation and zero-trust principles to limit lateral movement between tenant environments. 7. Stay alert for vendor patches or updates addressing this vulnerability and apply them promptly once available. 8. Educate developers and security teams on secure multi-tenant design principles to prevent similar flaws. 9. Consider implementing multi-factor authentication and token expiration policies to limit token misuse. 10. Conduct penetration testing focused on tenant isolation to proactively identify weaknesses.