Vulnerability Description
A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://adithyanak.com/ragas-v0214-arbitrary-file-read-vulnerability
- https://vuldb.com/submit/791088
- https://vuldb.com/vuln/358222
- https://vuldb.com/vuln/358222/cti
FAQ
What is CVE-2026-6587?
CVE-2026-6587 is a vulnerability with a CVSS score of 6.3 (MEDIUM). A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_mo...
How severe is CVE-2026-6587?
CVE-2026-6587 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-6587?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.