Full Report
Cybersecurity researchers have disclosed details of four vulnerabilities in Dify, an open-source agentic workflow platform with more than 146,000 GitHub stars, that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers' applications without requiring authentication. The vulnerabilities have been collectively codenamed DifyTap by Zafran Security.
Analysis Summary
This vulnerability summary is based on the technical details provided in the research report concerning "DifyTap," a collection of security flaws affecting the Dify platform.
# Vulnerability: DifyTap - Cross-Tenant AI Chat Exfiltration and Data Exposure
## CVE Details
- **CVE ID:** CVE-2026-41947, CVE-2026-41948, CVE-2026-41949, CVE-2026-41950, and CVE-2024-5846.
- **CVSS Score:** 6.5 to 9.4 (Medium to Critical)
- **CWE:** CWE-285 (Improper Authorization), CWE-22 (Path Traversal), CWE-416 (Use After Free)
## Affected Systems
- **Products:** Dify (Open-source agentic workflow platform)
- **Versions:** All versions prior to v1.14.2
- **Configurations:**
- Multi-tenant cloud deployments are at the highest risk for cross-tenant data exposure.
- Publicly accessible applications are specifically vulnerable to persistent chat exfiltration.
- Deployments utilizing the PDFium parsing stack.
## Vulnerability Description
DifyTap consists of multiple authorization bypass and path traversal flaws:
- **Authorization Bypasses:** Missing tenant ownership checks allow users to access resources (files, chat traces, and previews) belonging to other tenants or users simply by providing the correct identifier (UUID).
- **Persistent Exfiltration:** By enabling trace configurations on unauthorized applications, attackers can redirect all incoming and outgoing AI messages to an external, attacker-controlled server.
- **Path Traversal:** Insufficient sanitization of URL paths allowed authenticated users to interact with the internal **Plugin Daemon API**, exposing private administrative endpoints.
- **Legacy Library Risk:** The platform used an outdated version of **PDFium**, which is susceptible to heap corruption through specially crafted PDF files.
## Exploitation
- **Status:** PoC available (Details disclosed by Zafran Security); no confirmed "in the wild" exploitation reported in the article.
- **Complexity:** Low to Medium (Exploitation of several flaws only requires knowledge of a file/app UUID).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** **High** (Exposure of private AI conversations, system files, and cross-tenant document previews).
- **Integrity:** **Medium** (Ability to modify trace configurations and potentially trigger internal API calls).
- **Availability:** **Low/Medium** (Impact primarily focused on data exposure).
## Remediation
### Patches
- **Upgrade to Dify v1.14.2 or later.** This version addresses CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950.
- **Pending Patch:** A fix for CVE-2026-41948 (Path Traversal) is scheduled for the release immediately following v1.14.2.
### Workarounds
- **Restrict Access:** Limit access to Dify instances to trusted IP ranges or VPNs to reduce the attack surface for unauthenticated or unauthorized external users.
- **Monitor API Activity:** Audit logs for unusual requests to `/console/api/files/` and unexpected traffic to external LLM tracing providers.
## Detection
- **Indicators of Compromise:**
- Unusual UUID-based file preview requests in application logs.
- Unauthorized API requests directed toward the internal Plugin Daemon.
- Outbound traffic to unknown or suspicious LLM trace endpoints (e.g., Langfuse or Helicone instances not owned by the organization).
- **Detection Methods:** Security teams should use runtime monitoring to identify cross-tenant data access patterns and inspect container images for the vulnerable PDFium library.
## References
- Zafran Security Research Advisory (DifyTap)
- Dify GitHub Release Notes: hxxps[://]github[.]com/langgenius/dify/releases/tag/1.14.2
- NVD Entries: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2024-5846