Skip to content
hacker_posts

DifyTap: four cross-tenant flaws hit Dify, one still unpatched

Zafran Security discloses four Dify CVEs (41947–41950). Three patched in 1.14.2; the CVSS-9.4 Plugin Daemon path traversal CVE-2026-41948 remains unfixed at release time.

Published 4 min read
cvedifyaisupply-chain

Zafran Security has disclosed four vulnerabilities in Dify, the open-source LLM application platform with 146k+ GitHub stars and a multi-tenant cloud service. The set — collectively branded DifyTap — lets an attacker silently read other tenants' AI chat history without authentication, preview their files, and reach internal APIs. Three of the four ship a fix in Dify 1.14.2; the most severe, CVE-2026-41948 (CVSS 9.4), is still unpatched in the latest release — the upstream fix is merged on main but not yet shipped in a tag.

The four CVEs

The disclosure is attributed to Zafran Security; CVE assignments tracked at NVD:

  • CVE-2026-41947 — CVSS 9.1. Tracing-configuration endpoints fail to validate the requesting user's tenant. An attacker with a free Dify Cloud account can target any publicly accessible application, register their own tracing provider, and persistently exfiltrate every user prompt and model response. No authentication beyond basic signup is required.
  • CVE-2026-41948 — CVSS 9.4. Path traversal in the plugin-icon endpoint. The filename query parameter is injected directly into an internal URL targeting Dify's Plugin Daemon, with no sanitisation. Unauthenticated.
  • CVE-2026-41949 — CVSS 6.5. Unauthorised document preview across tenants.
  • CVE-2026-41950 — CVSS 6.5. Cross-file user access flaw.

Dify Cloud is used by Volvo, Maersk, Panasonic and Thermo Fisher, per Zafran's writeup.

Affected and patched versions

The patched cuts are documented in the Dify 1.14.2 release notes on GitHub, which call out two tenant-scoping advisories by GHSA ID:

  • GHSA-48xc-wmw8-3jr3 — "enforce tenant scoping on app trace-config endpoints." Maps to CVE-2026-41947.
  • GHSA-2qwc-c2cc-2xwv — "tenant-scope FilePreviewApi text-extract endpoint." Maps to CVE-2026-41949.

A fourth advisory covers CVE-2026-41950. CVE-2026-41948 is not in the 1.14.2 tag; the fix sits on main and ships in the next release. Self-hosted operators can either deploy from main or stay on 1.14.2 with a WAF rule (see below).

Exploitation status

No public proof-of-concept and no in-the-wild reports at disclosure. The risk profile is the worst kind: unauthenticated, cross-tenant, persistent — and one of the four flaws is still in the wild because the upstream tag isn't out. Treat this as a window in which a researcher with the Zafran writeup in hand can replicate the chain.

Action checklist

  1. If you run Dify self-hosted, upgrade to 1.14.2 today. That closes 3 of 4. For CVE-2026-41948, either build from main (the path-traversal fix is merged) or apply a WAF rule blocking .. and URL-encoded traversal sequences (%2e%2e, ..%2f, ..%5c) on requests to the plugin-icon endpoint until the next tag ships.
  2. If you're on Dify Cloud, your fix path is whatever the vendor rolls out — there is no user-side action against CVE-2026-41947 / 41949 / 41950 on a managed multi-tenant instance, and you should ask in writing when the patch was applied to your tenant's data plane and whether your tracing configuration was ever modified by an account other than yours.
  3. Rotate every secret reachable through your Dify applications. LLM API keys (OpenAI, Anthropic, Azure OpenAI, Bedrock), connector tokens, RAG storage credentials, and any plugin-daemon credentials. The tracing-exfil channel runs silently; you have no way to know whether it was attached during the disclosure window.
  4. Audit your tenant's tracing providers. In the Dify console, every application has a list of registered trace destinations. Anything you don't recognise — particularly endpoints under domains you don't operate — is a presumptive exfiltration channel.
  5. Lock down public exposure. A Dify instance does not need to be reachable from the open internet for most internal deployments. If yours is, the CVE-2026-41948 unauthenticated traversal makes that exposure a much worse trade-off this week than last.

Context

This is the second Dify advisory in a year — the previous, GHSA-6pw4-jqhv-3626 / CVE-2025-43862, was an APP-orchestration access-control flaw fixed in v0.6.8 and tracked back to ~3,894 vulnerable instances on Shodan at the time. The DifyTap chain is the more dangerous follow-up: it's not a misconfiguration on a self-hosted box, it's a defect in the multi-tenant isolation contract itself.

The broader pattern is the one this site has been tracking across Anthropic's claude-code-action repo-takeover chain, the @mastra npm scope hijack, and the marimo CVE-2026-39987 LLM-agent post-exploit primitive: AI application frameworks ship the same authorisation bugs the rest of the web stack shipped a decade ago, but with prompts, model responses, and connector credentials on the wire. The blast radius of a missing tenant check is no longer "another customer's CRM rows" — it's "another customer's entire conversation history with your LLM."

Related stories