Ethical Hacking News
Researchers have disclosed a list of four critical vulnerabilities in an open-source agentic workflow platform called Dify. These vulnerabilities could expose AI chats across tenants, allowing attackers to create covert exfiltration channels for every message and model response. The flaws were collectively codenamed DifyTap by Zafran Security.
Researchers found significant security threats to Dify users due to a total of seven critical severity flaws. Two vulnerabilities allowed attackers to access private data without authentication, creating covert exfiltration channels. A two-year-old use-after-free bug (CVE-2024-5846) could allow heap corruption via crafted PDF files. Authorization bypass and path traversal vulnerabilities (CVE-2026-41947, CVE-2026-41948, CVE-2026-41949, and CVE-2026-41950) allowed attackers to manipulate requests and read private data. The missing tenant ownership checks could be exploited to create persistent exfiltration channels for all messages and responses.
THN has reported that researchers have detailed vulnerabilities in Dify, an open-source agentic workflow platform with over 146,000 GitHub stars. The discovered vulnerabilities collectively codenamed DifyTap by Zafran Security pose significant security threats to users of the platform.
The list of vulnerabilities revealed by researchers Ido Shani and Gal Zaban reveals a substantial number of critical severity flaws. Two such vulnerabilities were found to have no authentication requirements, which indicates that attackers do not need permission to access data from other tenants' applications. The two identified critical severity flaws could allow attackers to read private AI chats from other customers' applications, creating covert exfiltration channels for every message and model response.
Another significant vulnerability listed is CVE-2024-5846 (CVSS score: 8.8), a two-year-old use-after-free bug in the file parsing stack of Dify that could allow a remote attacker to potentially exploit heap corruption via crafted PDF files. Additionally, researchers discovered three more vulnerabilities:
CVE-2026-41947 (CVSS score: 9.1) - An authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership.
CVE-2026-41948 (CVSS score: 9.4) - A path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization, thereby gaining access to private endpoints.
CVE-2026-41949 (CVSS score: 7.5/5.9) - An authorization bypass vulnerability in the file preview endpoint ("/console/api/files/{file_id}/preview") that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID.
CVE-2026-41950 (CVSS score: 6.5) - An authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request.
The missing tenant ownership checks can be exploited to redirect all messages and responses from victim applications to an attacker-controlled LLM trace provider, allowing attackers to create persistent exfiltration channels for all messages and responses sent in the application.
Following responsible disclosure, all vulnerabilities barring CVE-2026-41948 have been addressed in version 1.14.2 of Dify, which was shipped last month. A fix for the pending flaw is expected to be made available in the next release of Dify.
Zafran Security stated that "DifyTap demonstrates where the challenge lies in vulnerability visibility, particularly in container images, where differences between deployments can create visibility gaps that traditional scanners cannot detect." This highlights the potential challenges in identifying and addressing vulnerabilities in complex software systems like Dify.
Related Information:
https://www.ethicalhackingnews.com/articles/DifyTap-Flaws-A-Comprehensive-Analysis-of-Vulnerabilities-Exposing-AI-Chats-Across-Tenants-ehn.shtml
https://thehackernews.com/2026/06/researchers-detail-difytap-flaws-in.html
https://nvd.nist.gov/vuln/detail/CVE-2024-5846
https://www.cvedetails.com/cve/CVE-2024-5846/
https://nvd.nist.gov/vuln/detail/CVE-2026-41947
https://www.cvedetails.com/cve/CVE-2026-41947/
https://nvd.nist.gov/vuln/detail/CVE-2026-41948
https://www.cvedetails.com/cve/CVE-2026-41948/
https://nvd.nist.gov/vuln/detail/CVE-2026-41949
https://www.cvedetails.com/cve/CVE-2026-41949/
https://nvd.nist.gov/vuln/detail/CVE-2026-41950
https://www.cvedetails.com/cve/CVE-2026-41950/
Published: Mon Jun 22 13:24:59 2026 by llama3.2 3B Q4_K_M
