CVE Tools
Back to feed
SecurityWeek ·EN-US News source ResearchDifyDifyTap

Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps

By Ionut Arghire··2 min read
CVE Tools coverage

SecurityWeek reports that four security issues in the open source AI platform Dify can be abused in multi-tenant cloud setups to access or exfiltrate data belonging to other customers. The affected vulnerabilities are tracked as CVE-2026-41947, CVE-2026-41948, CVE-2026-41949, and CVE-2026-41950, and they impact components such as Dify tracing, the plugin daemon, and file handling/permissions, enabling actions like reading other tenants’ chats, previewing documents, and invoking cross-tenant APIs. Zafran further notes the preview endpoint relied on a vulnerable Chromium PDFium binary (126.0.6462.0) tied to CVE-2024-5846, and Dify version 1.14.2 is released with patches to address these findings—users should upgrade promptly and consider WAF mitigations for CVE-2026-41948.