The vulnerability arises from the ability to pass an absolute path to a call to os.path.join in the RAG-knowledge endpoint. This allows an attacker to write arbitrary files to arbitrary locations on the target server. The root cause is the user-controllable doc_file.filename parameter, which can be set to an absolute path, bypassing the intended directory constraints.

An attacker could exploit this vulnerability by first creating a knowledge space and then uploading a document with a payload that specifies an absolute path for the file name. This would allow the attacker to write arbitrary files to the server, potentially overwriting critical system files or creating new entries such as SSH keys.

Users running version 0.6.0 of the software are affected by this vulnerability. This includes any deployments where the RAG-knowledge endpoint is exposed and accessible.