Four vulnerabilities have been discovered in the open platform for building AI agents Dify, collectively dubbed DifyTap — two of them are critical, with CVSS scores of 9.1 and 9.4. According to researchers from Zafran Security, the vulnerabilities allowed attackers to covertly read private AI conversations of other customers’ applications in Dify’s multi-tenant cloud service, creating a persistent data exfiltration channel. The platform, which has more than 146,000 stars on GitHub, has already released fixes for three of the four vulnerabilities in version 1.14.2. Organizations using Dify need to update immediately.
Technical details of the vulnerabilities
According to Zafran’s researchers, three of the four vulnerabilities had cross-tenant impact, and two did not require authentication. Below is a detailed breakdown of each one.
CVE-2026-41947 — authorization bypass in tracing configuration (CVSS 9.1)
CVE-2026-41947 is an authorization bypass vulnerability that allows authenticated users with the editor role to set and activate tracing configurations for any application, regardless of tenant ownership. The absence of a tenant ownership check meant an attacker could redirect all messages and model responses from a victim’s applications to a tracing LLM provider under their control. As the researchers report, this made it possible to create a persistent exfiltration channel for all messages and responses, including those from publicly accessible applications.
CVE-2026-41948 — path bypass to the internal Plugin Daemon API (CVSS 9.4)
CVE-2026-41948 is the most critical vulnerability in the set. It is a path traversal/bypass issue that exploits insufficient sanitization of URL paths when forwarding requests to the internal REST API of the Plugin Daemon. An authenticated user could manipulate requests to access internal private endpoints and initiate cross-tenant calls to the internal API. This is the only vulnerability for which a fix has not yet been released — the patch is expected in the next Dify release.
CVE-2026-41949 — reading documents of other tenants (CVSS 7.5/5.9)
CVE-2026-41949 is an authorization bypass in the file preview endpoint (/console/api/files/{file_id}/preview). Any authenticated user could read up to 3,000 characters from any uploaded document across all tenants and workspaces, knowing only the file’s UUID.
CVE-2026-41950 — file leakage within a tenant (CVSS 6.5)
CVE-2026-41950 is an authorization bypass that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by substituting an arbitrary file UUID into the files array of a chat-messages request.
Additionally: outdated PDFium version
In addition to the four main vulnerabilities, the researchers also found that Dify’s file parsing stack used a version of the PDFium library affected by CVE-2024-5846 (CVSS 8.8) — a two-year-old use-after-free vulnerability that can allow a remote attacker to exploit heap corruption via a specially crafted PDF file.
Impact assessment
The combination of the discovered vulnerabilities poses a serious threat to Dify’s multi-tenant model. It is important to distinguish that, although the researchers describe a scenario of “unauthenticated silent wiretapping,” according to the NVD descriptions most CVEs require authenticated access. Nevertheless, the barrier to entry remains low — according to the researchers, anyone can register an account in Dify.
The highest risk is faced by:
- Users of Dify’s cloud service — the cross-tenant vulnerabilities CVE-2026-41947 and CVE-2026-41949 directly affect data isolation between customers
- Organizations with publicly accessible AI applications on Dify — an attacker could configure tracing on any public application, intercepting all user dialogues with the model
- Operators of self-hosted deployments — the path bypass vulnerability CVE-2026-41948 with CVSS 9.4 allows access to internal APIs, which is especially dangerous when network segmentation is insufficient
Potential consequences include the leakage of sensitive data from AI conversations (including personal data, trade secrets, internal documents), as well as possible compromise of internal infrastructure via access to the Plugin Daemon API.
Mitigation recommendations
- Update Dify to version 1.14.2 or higher — this addresses CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950. The release is available on GitHub.
- For CVE-2026-41948 (CVSS 9.4) — no patch has been released yet. As a temporary measure, restrict network access to the internal Plugin Daemon API, ensuring it is not reachable from outside. Monitor for the next Dify release.
- Audit tracing configurations — check whether any unauthorized tracing providers have been added to your applications. Any unknown configuration may indicate a compromise.
- Review access logs — pay attention to anomalous requests to the
/console/api/files/*/previewendpoints and to the Plugin Daemon API, especially those with unusual path traversal patterns. - For containerized deployments — ensure container images are updated, including dependencies such as PDFium. The researchers note that differences between deployments can create “blind spots” that traditional scanners do not detect.
The DifyTap case highlights a systemic issue in AI platforms with multi-tenant architectures: insufficient resource ownership checks turn basic features — tracing, file preview, messaging — into vectors for cross-tenant data leakage. Given that CVE-2026-41948 remains unpatched, the top priority for Dify administrators is to immediately update to version 1.14.2 while simultaneously restricting network access to internal Plugin Daemon APIs until a complete fix is released.
