4 vulnerabilities in Dify expose cross-tenant data

Four vulnerabilities, collectively named DifyTap, have been discovered in the open-source AI platform Dify, which is utilized by major companies to run over a million applications across more than 60 industries. Two of these vulnerabilities are critical, allowing unauthenticated access and data theft, and three have cross-tenant implications, meaning one customer's private data could be accessed by another, according to a recent report by Security Affairs.

The most severe flaw, CVE-2026-41947, resides in Dify's tracing system, enabling attackers to create a persistent channel for exfiltrating all messages and responses from any accessible application without authentication. Another critical vulnerability, CVE-2026-41948, in the Plugin Daemon, allows access to arbitrary endpoints via path traversal or direct API manipulation, requiring no login. Two additional flaws, CVE-2026-41949 and CVE-2026-41950, permit any console user to preview any document and enable chatbots to read attached user files. Dify also ran a vulnerable PDFium binary for over 18 months.

These issues highlight a broader category of risks in AI applications that parse various file formats from untrusted sources. Zafran Labs also identified a blind spot in container security scanning, as Dify's method of including unpackaged code made its vulnerabilities invisible to standard scanners. Dify version 1.14.2 addresses these vulnerabilities, with a recommendation to implement Web Application Firewall rules for CVE-2026-41948.

Source: Security Affairs