CVE-2025-32796— Dify Allows Unauthorized APP Enable/Disable via API
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-32796
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dify Allows Unauthorized APP Enable/Disable via API
Source: NVD (National Vulnerability Database)
Vulnerability Description
Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal users are not permitted to make such changes. This access control flaw allows non-admin users to make unauthorized changes, which can disrupt the functionality and availability of the APPS. This issue has been patched in version 0.6.12. A workaround for this vulnerability involves updating the API access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can send enable or disable requests for apps.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
dify 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
dify是LangGenius开源的一个开源的 LLM 应用程序开发平台。 dify 0.6.12之前版本存在安全漏洞,该漏洞源于普通用户可通过API启用或禁用APP。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| langgenius | dify | < 0.6.12 | - |
II. Public POCs for CVE-2025-32796
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-32796
请登录查看更多情报信息。
Patches & Fixes for CVE-2025-32796 (1)
Same Patch Batch · langgenius · 2025-04-18 · 3 CVEs total
| CVE-2025-32795 | 6.5 MEDIUM | Dify Allows Insecure User Role Access Control for APP Editing |
| CVE-2025-32790 | 6.3 MEDIUM | Dify Allows Insecure User Role Access Control for APP DSL Exporting |
IV. Related Vulnerabilities
Same product: dify
- CVE-2026-41949
Dify < 1.14.2 Authorization Bypass via File Preview Endpoint - CVE-2026-41948
Dify v1.14.1 Path Traversal via Plugin Daemon Internal API A - CVE-2026-41947
Dify < 1.14.2 Authorization Bypass via Trace Configuration E - CVE-2026-41950
Dify < 1.14.0 Authorization Bypass via File UUID - CVE-2026-42138
Dify Vulnerable to Stored XSS via SVG-file upload
Same vendor: langgenius
- CVE-2026-41949
Dify < 1.14.2 Authorization Bypass via File Preview Endpoint - CVE-2026-41948
Dify v1.14.1 Path Traversal via Plugin Daemon Internal API A - CVE-2026-41947
Dify < 1.14.2 Authorization Bypass via Trace Configuration E - CVE-2026-41950
Dify < 1.14.0 Authorization Bypass via File UUID - CVE-2026-42138
Dify Vulnerable to Stored XSS via SVG-file upload
Same weakness: CWE-284
- CVE-2026-10152
TaleLin lin-cms-spring-boot book Endpoint BookController.jav - CVE-2026-45707
n8n-MCP: Multi-tenant MCP requests fall back to process-leve - CVE-2026-49198
Predator Connect W6x: MQTT Broker Access Control - CVE-2026-45296
OpenReplay: Cross-tenant information disclosure in app_apike - CVE-2026-41160
EspoCRM: Broken Access Control / IDOR in Note Pinning API al
V. Comments for CVE-2025-32796
No comments yet