Cybersecurity researchers have revealed details of four security vulnerabilities in Dify, a widely used open source agentic workflow platform that has accumulated more than 146,000 stars on GitHub. The vulnerabilities, collectively named DifyTap by researchers at Zafran Security, could have enabled attackers to gain unauthorized access to artificial intelligence conversations and sensitive data belonging to other customers using the platform. According to the researchers, two of the vulnerabilities were rated critical severity, two could be exploited without authentication, and three carried cross tenant impact within Dify’s multi tenant cloud environment. The flaws created conditions where one customer’s information could potentially be exposed to another customer, allowing unauthorized access to private AI conversations, model responses, uploaded documents, and files. Researchers said the vulnerabilities could have established a covert channel for continuously extracting messages and responses from affected applications without alerting victims.
The research found that the security issues extended beyond chat data exposure. Attackers could potentially navigate Dify’s internal Plugin Daemon API through unauthenticated requests and trigger cross tenant internal API calls. The vulnerabilities also made it possible to preview documents uploaded by other tenants and retrieve files belonging to other users within the same tenant by supplying specific file identifiers. In a separate finding, Zafran Security identified that Dify’s file parsing infrastructure relied on a vulnerable version of PDFium, an open source C++ library used for rendering PDF documents. The version in use was susceptible to CVE-2024-5846, a use after free vulnerability with a CVSS score of 8.8 that could potentially enable remote attackers to exploit heap corruption using a specially crafted PDF file. Researchers noted that this weakness had existed for approximately two years and represented an additional security concern within the platform’s document processing functionality.
Among the disclosed vulnerabilities, CVE-2026-41947 received a CVSS score of 9.1 and involved an authorization bypass issue that allowed authenticated editor users to configure and activate tracing settings for any application regardless of tenant ownership. Researchers explained that missing tenant ownership validation could allow attackers to redirect messages and responses from victim applications to attacker controlled large language model trace providers. Since Dify allows public account registration, researchers warned that attackers could establish persistent data collection channels against publicly accessible applications. Another flaw, tracked as CVE-2026-41948 with a CVSS score of 9.4, is a path traversal vulnerability that enables authenticated users to manipulate requests forwarded to the internal Plugin Daemon REST API due to inadequate URL path sanitization. This issue could provide access to internal and private endpoints. CVE-2026-41949, carrying a CVSS score of 7.5 and 5.9 under different scoring contexts, affects the file preview endpoint and allows authenticated users to read up to 3,000 characters from uploaded documents across all tenants and workspaces when armed only with a file UUID.
The fourth vulnerability, CVE-2026-41950 with a CVSS score of 6.5, allows authenticated users to access the complete contents of files uploaded by other users within the same tenant by inserting arbitrary file UUIDs into chat message requests. Researchers emphasized that these weaknesses collectively demonstrated the risks associated with insufficient authorization controls and tenant isolation mechanisms in multi tenant AI platforms. Following responsible disclosure, Dify addressed all vulnerabilities except CVE-2026-41948 in version 1.14.2, which was released last month. A fix for the remaining issue is expected in an upcoming release. Zafran Security stated that the DifyTap findings highlight ongoing challenges in vulnerability visibility, particularly within containerized environments where differences between deployments can create blind spots that traditional security scanners may fail to detect. The disclosure serves as a reminder for organizations deploying AI platforms to regularly assess authorization controls, tenant separation mechanisms, and third party software components to reduce the risk of sensitive data exposure.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
