This security policy applies to all public projects under the langflow-ai organization on GitHub. We prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly.

• Fixes are released either as part of the next minor version (e.g., 1.3.0 → 1.4.0) or as an on-demand patch version (e.g., 1.3.0 → 1.3.1)
• Security fixes are given priority and might be enough to cause a new version to be released

We encourage responsible disclosure of security vulnerabilities. If you find or suspect a security issue, please discreetly report it to us so we can address it promptly:

Go to the OpenRAG Security page, and then click Report a vulnerability to start a private conversation between you and the repository's maintainers.

Provide as many specific details as possible to help us reproduce and fix the issue quickly, including the following:

• Steps to reproduce the issue
• Potential impact or concerns
• Any suggested fixes

Your report is kept confidential, and these details aren't shared without your consent.

We will acknowledge your report within 5 business days.

We will provide an estimated resolution timeline.

We will keep you updated on our progress.

• Don't publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users.
• If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least 30 days in advance for review.
• Disclosures must not include the following:
  • Data from any OpenRAG customer projects
  • OpenRAG user/customer information
  • Details about OpenRAG employees, contractors, or partners

We appreciate your efforts in helping us maintain a secure platform, and we look forward to working together to resolve any issues responsibly.

The following known vulnerabilities are for the OpenRAG codebase.

This list doesn't include vulnerabilities within OpenRAG dependencies like OpenSearch and Langflow. For Langflow vulnerabilities, see the Langflow SECURITY.md.

There are no known vulnerabilities exclusive to the OpenRAG application at this time.

It is recommended that you set a Langflow password (LANGFLOW_SUPERUSER_PASSWORD) so the Langflow server starts with authentication enabled and the langflow superuser command disabled.

You can set this password when you install OpenRAG, or you can edit the OpenRAG .env file and redeploy the OpenRAG containers.

For more information, see OpenRAG's Langflow settings reference.