CybersecurityVulnerability Management

Dify Vulnerabilities Expose AI Chats Across Tenants

Analyst 207||Source: TheHackerNews
Rows of computer servers and storage equipment in a brightly-lit data center or server room.

More than 146,000 GitHub stars mark Dify’s popularity — and, researchers warn, a broad attack surface when the platform’s multi-tenant defaults go wrong.

What Zafran Security named “DifyTap” uncovered

Security researchers Ido Shani and Gal Zaban, working with Zafran Security, disclosed four vulnerabilities collectively codenamed DifyTap that could let attackers read AI conversations from other customers’ applications without authentication. "Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify's multi-tenant cloud service, allowing one customer's data to be exposed to another," the researchers said.

The defects created several read-oriented exposure paths: an attacker could intercept messages and model responses, traverse an internal Plugin Daemon API from unauthenticated requests and trigger cross-tenant internal API calls, preview documents uploaded by other tenants, and leak files across users within a tenant by supplying another user's file UUID.

Four CVEs, distinct mechanics and scores

  • CVE-2026-41947 (CVSS 9.1) — an authorization bypass allowing authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership.
  • CVE-2026-41948 (CVSS 9.4) — a path traversal flaw letting authenticated users manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization, giving access to internal, private endpoints. This flaw remained unfixed at the time of disclosure.
  • CVE-2026-41949 (CVSS 7.5/5.9) — an authorization bypass in the file preview endpoint ("/console/api/files/{{file_id}}/preview") that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID.
  • CVE-2026-41950 (CVSS 6.5) — an authorization bypass allowing authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request.

How attackers could turn features into exfiltration channels

The researchers describe a concrete exploitation path: missing tenant ownership checks let an attacker redirect all messages and model responses from victim applications to an attacker-controlled LLM trace provider. Because "anyone can freely register for a Dify account," an attacker could register, configure tracing, and, where applications are publicly reachable, create a persistent exfiltration channel that captures every message and response sent to the application.

Separately, the file preview and file-UUID behaviors permit targeted reading of uploaded documents — up to 3,000 characters across tenants or full files within a tenant — simply by supplying known UUIDs.

PDF parsing risk: an older CVE reappears

Zafran also reported that Dify's file-parsing stack used a version of PDFium vulnerable to CVE-2024-5846 (CVSS 8.8), a two-year-old use-after-free bug. That vulnerability can allow remote exploitation via a crafted PDF and adds a file-parsing vector to the exposure scenarios already posed by the preview and file-UUID issues.

Dify's response: patches, and one outstanding fix

Following responsible disclosure, Dify shipped version 1.14.2 last month to remediate all the listed vulnerabilities except CVE-2026-41948. The company said a fix for that remaining flaw is expected to be made available in the next release. Dify characterized DifyTap as illustrative of a broader transparency challenge: "DifyTap demonstrates where the challenge lies in vulnerability visibility, particularly in container images, where differences between deployments can create visibility gaps that traditional scanners cannot detect."

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: verify that deployed instances have been upgraded to Dify 1.14.2 and confirm whether the planned fix for CVE-2026-41948 has landed. Pay particular attention to the Plugin Daemon internal API, trace configuration controls, and file preview endpoints for unusual or elevated access patterns.
  • Procurement and affected enterprises: confirm which applications are public-facing and whether tracing or file-upload features expose UUIDs or trace-provider endpoints that could be configured by external accounts. Require proof of fixes for CVE-2026-41948 before assuming full remediation.
  • End users and operators of tenant workspaces: be aware that uploaded documents may have previously been readable in part (3,000 characters) or in full within a tenant via URI-like UUIDs, and that crafted PDFs could target an older PDFium vulnerability (CVE-2024-5846).

DifyTap is a reminder that high popularity and open-source ecosystems do not eliminate subtle authorization and path-sanitization failures. With three of the four DifyTap flaws carrying cross-tenant impact and one high-severity Plugin Daemon path traversal still pending a fix, the immediate record is mixed: a broad patch rollout plus an outstanding, high-scoring flaw that Dify expects to address in its next release. Organizations that rely on Dify or host public applications on the platform should validate upgrades and monitor for any unexpected outbound trace configuration or file-access behavior.

Original reporting: The Hacker News — Researchers Detail DifyTap Flaws in Dify

Ai SecurityEmerging ThreatsGithubSupply ChainZero-DayMfa BypassDifyMulti-Tenant VulnerabilitiesCloud ServiceCross-Tenant Exposure
Related Intelligence

Continue Reading

A coach sits at a table with an open laptop displaying heart rate and sleep data.

Wearables Expose Athletes to Data Abuse Risks

Imagine a coach scrutinizing an athlete's sleep and heart-rate logs to gauge their off-field behavior - a chilling invasion of privacy that's not as far-fetched as it sounds. As wearables become ubiquitous, athletes face growing risks of data abuse, from compromised privacy to unfair advantages in high-stakes competitions.

Analyst 207
Laptop on a neutral surface with a blurred background and a soft gradient on the screen.

Microsoft Unveils Windows 11 26H2 Upgrade Path

Get ready for the next big update to Windows 11, as Microsoft kicks off testing for version 26H2 with Windows Insiders in the Dev Channel. This upcoming annual update promises a seamless experience for organizations and IT pros, with a surprisingly small 174 KB enablement package for devices already running Windows 11 24H2 and 25H2.

Analyst 207
Modern software development setting with a laptop displaying a graphical interface on a neutral surface.

Microsoft Fixes AutoGen Studio Flaw That Enabled Code Execution

Microsoft swiftly squashed a potential code execution flaw in AutoGen Studio, ensuring the vulnerable code never made it to users via a PyPI release. The fix addressed a sneaky three-part vulnerability chain, dubbed AutoJack, that could have been exploited to run malicious code.

Analyst 207
Professional surrounded by technology and learning materials in a bright room.

Cybersecurity Readiness Revolution Gains Momentum

The traditional cybersecurity certification approach is no longer enough - we need a culture of lifelong learning where professionals continually upskill and reskill to stay ahead of evolving threats. Dan Magnotta, Senior Federal Business Development Manager at Hack The Box, is leading the charge towards an active-readiness revolution.

Analyst 207