Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

dify — Vulnerabilities & Security Advisories 21

All 21 CVE vulnerabilities found in dify, with AI-generated Chinese analysis, references, and POCs.

This page documents known security weaknesses associated with Dify, an open-source platform for building and managing large language model applications. It aggregates vulnerability data from official vendor advisories, public security databases, and community reports to provide a comprehensive view of the product's security posture. The collection covers reported issues ranging from the platform's initial public release through recent updates, ensuring that both legacy and newly identified threats are accounted for within the dataset. Visitors to this page can effectively track a vendor's advisories to stay informed about critical patches and remediation steps as they are released. Users can also analyze the distribution and frequency of specific weakness classes to understand systemic risks inherent in the application architecture. Furthermore, the page allows stakeholders to look up a product's vulnerability history, offering insights into how the development team has responded to security challenges over time. This historical perspective is valuable for assessing the long-term stability and maintenance practices of the software. By consolidating these diverse sources, the page serves as a central reference point for security researchers, developers, and enterprise administrators who need to evaluate the risk profile of Dify before integration or deployment. The information provided supports informed decision-making regarding upgrade timelines, mitigation strategies, and overall risk acceptance without relying on marketing narratives or incomplete data snippets.

Vendor: langgenius

CVE IDTitleCVSSSeverityPublished
CVE-2026-41949 Dify < 1.14.2 Authorization Bypass via File Preview Endpoint CWE-639 5.9 Medium2026-05-18
CVE-2026-41948 Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access CWE-23 9.4 Critical2026-05-18
CVE-2026-41947 Dify < 1.14.2 Authorization Bypass via Trace Configuration Endpoints CWE-639 9.1 Critical2026-05-18
CVE-2026-41950 Dify < 1.14.0 Authorization Bypass via File UUID CWE-639 6.5 Medium2026-05-05
CVE-2026-42138 Dify Vulnerable to Stored XSS via SVG-file upload CWE-79 6.1 -2026-05-04
CVE-2026-34082 Dify has IDOR in deleting someone else's chat conversation CWE-863 4.3AIMediumAI2026-04-20
CVE-2026-6619 langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting CWE-79 3.5 Low2026-04-20
CVE-2026-6618 langgenius dify ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle server-side request forgery CWE-918 6.3 Medium2026-04-20
CVE-2026-6617 langgenius dify ApiToolManageService api_tools_manage_service.py get_api_tool_provider_remote_schema server-side request forgery CWE-918 6.3 Medium2026-04-20
CVE-2026-21866 Dify - Stored XSS in chat CWE-79 5.4AIMediumAI2026-03-03
CVE-2026-28288 Dify has a user enumeration issue CWE-204 5.3 -2026-02-27
CVE-2026-26023 Client‑side DOM XSS in the web chat app of Dify when using echarts CWE-79 6.1AIMediumAI2026-02-11
CVE-2025-67732 Dify Vulnerable to Plaintext API Key Exposure via Model Provider Configuration Endpoint CWE-200 5.4 -2026-01-05
CVE-2025-58747 Dify MCP OAuth Flow Vulnerable to XSS CWE-79 6.1AIMediumAI2025-10-17
CVE-2025-59422 Dify Has Broken Access Control on Log Message Endpoint Allows Reading of Chats of Others CWE-284 4.3AIMediumAI2025-09-25
CVE-2025-49149 Dify has XSS vulnerability CWE-79 6.1AIMediumAI2025-06-17
CVE-2025-43854 DIFY vulnerable to Clickjacking Attack CWE-1021 6.1AIMediumAI2025-04-28
CVE-2025-43862 Dify Allows Unauthorized Access and Modification of APP Orchestration CWE-284 7.6 High2025-04-25
CVE-2025-32796 Dify Allows Unauthorized APP Enable/Disable via API CWE-284 6.5 Medium2025-04-18
CVE-2025-32795 Dify Allows Insecure User Role Access Control for APP Editing CWE-284 6.5 Medium2025-04-18
CVE-2025-32790 Dify Allows Insecure User Role Access Control for APP DSL Exporting CWE-284 6.3 Medium2025-04-18

All 21 known CVE vulnerabilities affecting dify with full Chinese analysis, references, and POCs where available.