Dify AI Platform Hit by Four CVEs, Worst One Still Unpatched

Dify, an open-source platform for building AI-powered agentic workflows, has a problem at its foundation that affects every customer sharing its cloud infrastructure. Zafran Security researchers Ido Shani and Gal Zaban disclosed four vulnerabilities in the platform, collectively branded "DifyTap," showing that users in one tenant could silently read AI conversations, responses, and uploaded documents belonging to users in entirely separate tenants. According to The Hacker News, Dify has over 146,000 GitHub stars and powers approximately one million applications.

The four CVEs split across two severity bands. CVE-2026-41947 (CVSS 9.1) lets an authenticated editor configure LLM trace settings for any application regardless of tenant ownership, effectively redirecting all AI messages and responses to an attacker-controlled provider. CVE-2026-41948 (CVSS 9.4) is a path traversal flaw in Dify's Plugin Daemon API that exploits insufficient URL path sanitization to reach internal endpoints, and it remains unpatched at the time of disclosure, with a fix expected in a subsequent release. CVE-2026-41949 (CVSS 7.5) allows any authenticated user to preview up to 3,000 characters of documents uploaded by other tenants using only a file UUID, while CVE-2026-41950 (CVSS 6.5) extends that to full file contents within a shared tenant. The three lower-severity flaws were addressed in Dify version 1.14.2.

What sharpens the risk on CVE-2026-41947 is that registration is open: as the disclosure puts it, "anyone can freely register for a Dify account," which means an attacker needs no prior foothold to target all publicly accessible applications on the platform and redirect their outputs to an attacker-controlled LLM trace provider.

The reporting does not confirm whether any of these vulnerabilities were exploited before disclosure, what the timeline for patching CVE-2026-41948 looks like, or whether Dify notified affected cloud customers. Self-hosted Dify deployments that have not yet upgraded to version 1.14.2 remain exposed to three of the four DifyTap flaws.

For teams running AI workflow platforms at scale, DifyTap is a reminder that tenant isolation and authorization checks are not boilerplate; they are the security boundary. As AI infrastructure moves toward shared, multi-tenant deployment models, the gap between "it works" and "it's isolated" is where vulnerabilities like these live.