Threat Advisory

Dify Flaws Expose Sensitive AI Data Across Tenants and One Million Applications

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple critical vulnerabilities have been identified in Dify that could expose sensitive AI data across tenants and potentially impact more than one million applications.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple critical vulnerabilities have been identified in Dify that could expose sensitive AI data across tenants and potentially impact more than one million applications.[emaillocker id="1283"]

CVE-2026-41947 (CVSS 9.1): One of the most severe issues is that attackers can configure tracing on victim applications without proper tenant validation, effectively creating a persistent data exfiltration channel. By abusing this flaw, an attacker can capture full chat histories, including prompts and model responses.

CVE-2026-41948 (CVSS 9.4): Another critical vulnerability affects Dify's Plugin Daemon service due to improper input handling, allowing attackers to exploit path traversal flaws via crafted GET and POST requests to access internal APIs. Notably, these endpoints do not require authentication, thereby significantly increasing the risk of exploitation.

CVE-2024-5846: A use-after-free bug. This highlights a broader issue in AI platforms that process untrusted file formats without adequate sandboxing or dependency management.

CVE-2026-41949: This flaw stems from weak permission enforcement and indirect access control models, enabling both cross-tenant and intra-tenant data leakage. Attackers can preview documents uploaded by other tenants without authorization, access sensitive files using only file UUIDs, and attach existing file identifiers to new messages to trick AI models into revealing the contents of those files.

CVE-2026-41950: In addition to logic flaws, Dify was found to be using an outdated version of PDFium, which is vulnerable to CVE-2024-5846, a use-after-free bug. This highlights a broader issue in AI platforms that process untrusted file formats without adequate sandboxing or dependency management.

These vulnerabilities collectively present a significant risk to enterprises relying on Dify for their AI workflows and chatbots.

RECOMMENDATION:

We recommend you to update Dify to version 1.14.2.

REFERENCES:

The following reports contain further technical details:
https://cybersecuritynews.com/difytap-flaws-wiretap-ai-data-across-tenants/

[/emaillocker]
crossmenu