Security researchers have uncovered four significant vulnerabilities in Dify, an open-source agentic workflow platform with over 146,000 GitHub stars. These flaws, collectively named DifyTap by Zafran Security, could allow unauthorized access to AI conversations across different customers’ applications.
Two of these vulnerabilities are classified as critical, with two requiring no authentication. Three of the flaws impact Dify’s multi-tenant cloud service, potentially exposing one customer’s data to another. This exposure could enable attackers to read private AI chats from other customers’ applications, creating a covert channel for exfiltrating messages and model responses.
Additionally, the vulnerabilities allow unauthorized traversal of Dify’s internal Plugin Daemon API and the triggering of cross-tenant internal API calls. Attackers could also preview documents uploaded by other tenants and leak files across users within a tenant by exploiting unique file identifiers.
Another concern is Dify’s reliance on an outdated version of PDFium, an open-source C++ library for PDF rendering. This version is susceptible to CVE-2024-5846, a use-after-free bug with a CVSS score of 8.8, which could allow remote attackers to exploit heap corruption via crafted PDF files.
The specific vulnerabilities identified are:
- CVE-2026-41947 (CVSS score: 9.1): An authorization bypass allowing authenticated editor users to set and enable trace configurations for any application, regardless of tenant ownership.
- CVE-2026-41948 (CVSS score: 9.4): A path traversal vulnerability enabling authenticated users to manipulate requests to the Plugin Daemon’s internal REST API by exploiting insufficient URL path sanitization.
- CVE-2026-41949 (CVSS score: 7.5/5.9): An authorization bypass in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file’s UUID.
- CVE-2026-41950 (CVSS score: 6.5): An authorization bypass allowing authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request.
The absence of tenant ownership checks can be exploited to redirect all messages and responses from victim applications to an attacker-controlled LLM trace provider. Notably, anyone can freely register for a Dify account, increasing the risk of exploitation.
Following responsible disclosure, all vulnerabilities except CVE-2026-41948 have been addressed in version 1.14.2, released last month. A fix for the remaining flaw is expected in the next Dify release.
These findings underscore the critical importance of robust security measures in multi-tenant cloud services. Organizations utilizing Dify should promptly update to the latest version to mitigate these risks and ensure the confidentiality of their AI-driven communications.
