CVE-2026-6587

Summary

A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
vibrantlabsaiRAGAS0.4.0affected
vibrantlabsaiRAGAS0.4.1affected
vibrantlabsaiRAGAS0.4.2affected
vibrantlabsaiRAGAS0.4.3affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

vibrantlabsai RAGAS: vibrantlabsai RAGAS: Server-Side Request Forgery via retrieved_contexts argument manipulation

Additional References

References