Recent discoveries have unveiled critical security flaws in Dify, an open-source platform widely utilized for developing and managing AI applications. These vulnerabilities, collectively termed ‘DifyTap,’ pose significant risks by potentially allowing unauthorized access to sensitive AI data across different tenants.
Dify has gained substantial traction in the AI community, boasting over 140,000 stars on GitHub and more than 10 million Docker pulls. Its adoption spans various industries, with enterprises like Volvo, Maersk, Panasonic, and Thermo Fisher integrating it into their AI workflows, chatbots, and retrieval-augmented generation (RAG) pipelines. The platform’s extensive use underscores the potential impact of these security issues.
Unveiling the DifyTap Vulnerabilities
Security researchers have identified four primary vulnerabilities within Dify, two of which are deemed critical:
- CVE-2026-41947 (CVSS 9.1): This authorization bypass flaw allows authenticated editor users to configure tracing for any application, irrespective of tenant ownership. Exploiting this vulnerability enables attackers to intercept and exfiltrate all messages and model responses from victim applications, effectively creating a persistent data leakage channel.
- CVE-2026-41948 (CVSS 9.4): A path traversal vulnerability in Dify’s Plugin Daemon service permits unauthenticated attackers to access internal APIs by sending crafted requests. This flaw arises from inadequate input validation, allowing unauthorized access to internal, private endpoints.
- CVE-2026-41949 (CVSS 6.5): This issue involves an authorization bypass in the file preview endpoint, enabling authenticated users to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file’s UUID.
- CVE-2026-41950 (CVSS 6.5): Another authorization bypass allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request.
These vulnerabilities primarily stem from insufficient tenant isolation and inadequate permission enforcement within Dify’s multi-tenant cloud deployment. Such flaws enable attackers to access data belonging to other customers, posing significant privacy and security concerns.
Broader Implications and Mitigation Measures
Beyond the identified vulnerabilities, researchers discovered that Dify was utilizing an outdated version of PDFium, a C++ library for PDF rendering. This version is susceptible to CVE-2024-5846, a use-after-free bug that could lead to heap corruption via a crafted PDF file. The presence of this outdated component highlights the challenges in maintaining secure dependencies within AI platforms.
In response to these findings, Dify has released version 1.14.2, addressing CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950. A fix for CVE-2026-41948 has been merged and is expected in an upcoming release. Organizations utilizing Dify are strongly advised to upgrade to the latest version promptly. Additionally, implementing Web Application Firewall (WAF) rules to block path traversal attacks, monitoring plugin and file-related endpoints for suspicious activity, and limiting public exposure of Dify instances are recommended to mitigate potential risks.
These vulnerabilities underscore the critical importance of robust security measures in AI platforms, especially those operating in multi-tenant environments. As AI systems become increasingly integral to various industries, ensuring their security is paramount to protect sensitive data and maintain user trust.
