DifyTap — Four CVEs Expose Cross-Tenant AI Chats on 1M+ App Platform

AI relevance: Dify powers over 1 million agentic AI applications; tenant isolation failures let any customer silently read another customer's private AI conversations and uploaded files.

• Zafran Security researchers Ido Shani and Gal Zaban disclosed four vulnerabilities in Dify, an open-source agentic workflow platform with 146,000+ GitHub stars.
• CVE-2026-41948 (CVSS 9.4): Path traversal in the Plugin Daemon's internal REST API allows authenticated users to manipulate requests and access private endpoints via insufficient URL path sanitization.
• CVE-2026-41947 (CVSS 9.1): Authorization bypass lets any authenticated editor enable trace configurations for any application regardless of tenant ownership — creating a persistent exfiltration channel for all messages and responses.
• CVE-2026-41949 (CVSS 7.5): File preview endpoint allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants using only the file's UUID.
• CVE-2026-41950 (CVSS 6.5): Authenticated users can read full contents of files uploaded by other users within the same tenant by supplying arbitrary file UUIDs in chat-message requests.
• Two vulnerabilities required no authentication; three had cross-tenant impact on Dify's multi-tenant cloud service.
• Attackers could redirect all messages and responses from victim applications to an attacker-controlled LLM trace provider — anyone can freely register for a Dify account.
• Dify's file parsing stack also relied on PDFium with a two-year-old use-after-free bug (CVE-2024-5846, CVSS 8.8) exploitable via crafted PDF uploads.
• All vulnerabilities except CVE-2026-41948 have been patched in Dify version 1.14.2; the remaining fix is expected in the next release.

Why it matters

Dify is production infrastructure for enterprises building AI agents at scale. The missing tenant ownership checks mean a single malicious customer can silently wiretap every other customer's AI conversations — including proprietary prompts, sensitive documents, and model responses. This is not a theoretical supply-chain risk; it is an active data-exfiltration channel in a platform powering over 1 million applications.

What to do

• Upgrade Dify to version 1.14.2 immediately; monitor for the CVE-2026-41948 patch.
• Audit trace provider configurations for unauthorized changes — check if external LLM endpoints were added without approval.
• Review file access logs for anomalous UUID-based document reads across tenants.
• If running self-hosted Dify, verify PDFium version and patch CVE-2024-5846 to block malicious PDF exploitation.
• For multi-tenant deployments: implement network-level tenant isolation and monitor cross-tenant API calls at the gateway.

Sources:

• Zafran Security — DifyTap Research
• The Hacker News — DifyTap Disclosure
• NVD — CVE-2026-41947
• NVD — CVE-2026-41948
• Dify 1.14.2 Release