Multiple critical vulnerabilities in Dify could expose sensitive AI data across tenants, impacting over 1 million applications.
Powering AI workflows, chatbots, and search augmentation generation (RAG) pipelines, Dify is widely adopted across companies such as Volvo, Maersk, Panasonic, and Thermo Fisher.
With over 140,000 GitHub stars and over 10 million Docker pulls, the platform has become a core component of production AI systems.
During its investigation, Zafran identified tens of thousands of internet-connected Dify instances, highlighting the potential scale of the danger.
Critical cross-tenant data leakage
This research uncovered four vulnerabilities, including two critical flaws: CVE-2026-41947 (CVSS 9.1) and CVE-2026-41948 (CVSS 9.4).
Three of the four issues enable cross-tenant attacks in Dify’s multi-tenant cloud deployment, allowing attackers to access data belonging to other customers.
One of the most serious issues is that an attacker can configure tracing on a victim application without proper tenant validation.
Exploitation of this flaw allows an attacker to capture the complete chat history, including prompts and model responses, effectively creating a persistent data exfiltration channel.
Another critical vulnerability affects Dify’s Plugin Daemon service. Due to improper input handling, an attacker could exploit a path traversal flaw via crafted GET and POST requests to access the internal API.
In particular, these endpoints do not require authentication, which significantly increases the risk of exploitation. This vulnerability also affects Dify’s file handling mechanism. Researchers found that an attacker could:
- Preview documents uploaded by other tenants without permission.
- Access sensitive files such as PDFs and images using only the file UUID.
- Attach existing file identifiers to new messages to trick AI models into revealing the contents of those files.
These flaws result from weak permission enforcement and indirect access control models, allowing both inter-tenant and intra-tenant data leaks.
Follow us on Google News, LinkedIn and X for instant updates.
In addition to the logical flaw, Dify was found to be using an outdated version of PDFium. This version is vulnerable to CVE-2024-5846, a use-after-free bug.
This vulnerable component has been in production for over 18 months since its release, allowing an attacker to exploit the issue by uploading a malicious PDF file.
This highlights a broader issue with AI platforms handling untrusted file formats without proper sandboxing or dependency management.
Dify has released version 1.14.2, which addresses CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950. The fix for CVE-2026-41948 has been merged and will be included in a future release.
Security teams should immediately upgrade to the latest Dify version, deploy WAF rules to block path traversal attacks, monitor plugins and file-related endpoints for suspicious activity, and limit exposure of Dify instances where possible.
The findings are part of Zafran’s “Project DarkSide,” which focuses on uncovering systemic weaknesses in AI infrastructure.
Similar to previous research on the Chainlit framework, this disclosure highlights how modern AI systems, often built on microservices and containerized environments, introduce new attack surfaces that cannot be detected by traditional security tools.
To address this gap, Zafran introduced a technique called “shadow container image component enrichment.” This increases visibility of application-level vulnerabilities hidden within container images.
An example scenario illustrates the risks. An attacker can sign up for a free Dify cloud account, identify a public AI application, extract its internal app ID, and silently enable tracing to gain continuous access to all user interactions without detection.
As AI adoption accelerates, these vulnerabilities highlight the urgent need for stronger isolation, secure architectural design, and improved visibility across the AI supply chain.
