DifyTap: 4 bugs put over 1 million AI apps at risk

DifyTap: 4 bugs put over 1 million AI apps at risk

Pierluigi Paganini
June 23, 2026

Four flaws in Dify exposed data, documents, and AI conversations between tenants. Two critical bugs allowed unauthenticated access and data theft.

Researchers at Zafran Labs have uncovered four vulnerabilities in Dify, an open source AI platform used by major companies such as Volvo and Maersk to run more than 1 million applications in more than 60 industries. Two vulnerabilities are critical in severity, two require no authentication at all, and three have cross-tenant impact on Dify’s cloud services. This meant that one customer’s personal data could be read by another customer. Researchers collectively named this series of flaws “DifyTap.”

The first and most severe flaw is CVE-2026-41947 (CVSS score 9.1). It resides in Dify’s tracing system, a component that records messages and model responses for monitoring and analysis.

“An attacker can set up their own traces for any application that they can access as a client. This includes all publicly accessible applications,” reads the advisory. “This allows an attacker to create a persistent exfiltration channel for all messages and responses sent by the application.”

To get a Dify console account to do this, all you need to do is sign up on the platform. It’s not a high bar.

The second critical flaw, tracked as CVE-2026-41948 (CVSS score 9.4), resides in the plugin daemon, an internal service that runs Dify’s plugin system.

“We discovered two primitives that allow access to arbitrary endpoints within the plugin daemon, one via GET and one via POST,” the report continues.

The GET primitive works by injecting path traversal into the filename parameter of the plugin icon request, which is passed directly to the internal API URL without any sanitization. Even worse, the endpoint does not require any login, making it exploitable by anyone with network access to your Dify instance. The POST primitive has a similar structure only in the task deletion endpoint.

The remaining two flaws are tracked as CVE-2026-41949 and CVE-2026-41950, both of which involve file access. The preview endpoint for uploaded documents checks that the file type is ‘document’, but nothing else. There are no ownership checks or tenant checks. Any console user can preview system-wide documents. The second vulnerability allows a client to attach another user’s file UUID to its own chat message and prompt a file-aware chatbot to read it. Ask the AI ​​to repeat exactly the contents of a file. it is.

Zafran also discovered that Dify had been running PDFium binaries vulnerable to CVE-2024-5846, a use-after-free bug published in June 2024, for more than a year and a half, ending on December 21, 2025. Any end user can trigger this binary by uploading a malicious PDF to the preview endpoint.

“More broadly, many AI applications face the same danger. These applications support parsing many file formats from untrusted sources, allowing any end user to attempt and trigger known vulnerabilities in programs such as PDFium and ffmpeg,” the report continues. “In addition to changing versions regularly, applications also need to sandbox these types of operations.”

This is a category issue and not just a Dify issue.

The study also revealed blind spots in container security scanning. Dify copies unpackaged Python code directly into a container image. This means that standard scanners will not detect the application itself as a component and will not expose its vulnerabilities. Zafran developed something called “shadow container image component enrichment” to infer what kind of application a container image represents and match it to project-level CVEs. Without something like that, the Dify vulnerability would have been invisible to all the automated scanners monitoring the environment.

Dify version 1.14.2 addresses the vulnerabilities listed above.

“We strongly recommend that customers currently running version 1.14.2 implement Web Application Firewall (WAF) rules specifically designed to mitigate CVE-2026-41948,” the report concludes.

Follow us on Twitter: @securityaffairs and facebook and mastodon