DifyTap: Four Bugs Put over 1 million AI Apps at Risk

Four flaws in Dify exposed cross-tenant data, documents and AI conversations. Two critical bugs enabled unauthenticated access and data theft.

Zafran Labs researchers disclosed four vulnerabilities in Dify, the open-source AI platform used by major companies like Volvo and Maersk to run over a million applications across over 60 industries. Two vulnerabilities are of critical severity, two require no authentication at all, and three carry cross-tenant impact on Dify’s cloud service, meaning one customer’s private data was readable by another. The researchers collectively named the set of flaws DifyTap.

The first and most severe flaw is CVE-2026-41947 (CVSS score of 9.1), which lives in Dify’s tracing system, the component that logs messages and model responses for monitoring and analytics.

“An attacker can configure their own tracing for any application they can access as a client, which includes all publicly accessible applications.” reads the advisory. “This allows an attacker to create a persistent exfiltration channel for all messages and responses sent in the application.”

Getting a Dify console account to pull this off requires nothing more than signing up for the platform. That’s not a high bar.

The second critical flaw, tracked as CVE-2026-41948 (CVSS score of 9.4), resides in the Plugin Daemon, the internal service that runs Dify’s plugin system.

“We discovered two primitives that allow access to arbitrary endpoints within the Plugin Daemon: one via GET and one via POST.” continues the report.

The GET primitive works by injecting a path traversal into the filename parameter of a plugin icon request, which gets passed directly into an internal API URL with no sanitization. Worse, the endpoint requires no login whatsoever, so anyone with network access to the Dify instance can exploit it. The POST primitive has a similar anatomy, just in the task deletion endpoint.

The remaining two flaws, tracked as CVE-2026-41949 and CVE-2026-41950, both involve file access. The preview endpoint for uploaded documents checks that a file is of type “Document,” and nothing else. No ownership check, no tenant check. Any console user can preview any document in the entire system. The second flaw lets a client attach another user’s file UUID to their own chat message, then prompt a file-capable chatbot to read it back. Ask the AI to repeat the contents of the file exactly. It will.

Zafran also found that Dify ran a PDFium binary vulnerable to CVE-2024-5846, a use-after-free bug publicly disclosed in June 2024, for more than a year and a half, until December 21, 2025. Any end user could trigger it by uploading a malicious PDF to the preview endpoint.

“On a wider scale, many AI applications face the same danger. Those applications support parsing of many file formats from untrusted sources, allowing any end user to attempt and trigger known vulnerabilities in programs such as PDFium, ffmpeg or others.” continues the report. “Besides bumping versions regularly, applications should also sandbox these kinds of operations.”

This is a category problem, not just a Dify problem.

The research also surfaced a blind spot in container security scanning. Dify copies unpackaged Python code directly into its container images, which means standard scanners don’t detect the application itself as a component and never surface its vulnerabilities. Zafran developed what they call “shadow container image component enrichment” to infer what application a container image represents and match it against project-level CVEs. Without something like that, Dify’s vulnerabilities would have been invisible to every automated scanner watching the environment.

Dify version 1.14.2 addresses the above vulnerabilities.

“For those currently operating on version 1.14.2, it is highly recommended to implement Web Application Firewall (WAF) rules specifically designed to mitigate CVE-2026-41948.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DifyTap)