Four vulnerabilities in Dify, a popular open-source AI workflow platform with over 146,000 GitHub stars, could let attackers silently read AI conversations from other customers’ applications — no authentication required for two of them.
Researchers at Zafran Security collectively codenamed the flaws DifyTap. Two were critical severity, two required no authentication, and three had cross-tenant impact on Dify’s multi-tenant cloud service. That means one customer’s private AI chats could be exposed to another customer entirely.
The most dangerous combination: an attacker could configure their own tracing for any publicly accessible application, creating a persistent exfiltration channel for every message and model response. Anyone can freely register for a Dify account, so the barrier to entry is essentially zero.
One of the vulnerabilities also involves CVE-2024-5846, a two-year-old use-after-free bug in PDFium (CVSS 8.8) that Dify’s file parsing stack depends on. That could let an attacker exploit heap corruption via a crafted PDF.
Zafran also found that attackers could traverse Dify’s internal Plugin Daemon API from unauthenticated requests, preview documents uploaded by other tenants, and leak files across users within a tenant by swapping in another user’s file UUID.
Dify addressed three of the four vulnerabilities in version 1.14.2, released last month. A fix for CVE-2026-41948, the path traversal flaw, is expected in the next release.
If you’re running Dify — especially the cloud service — check your version and update to 1.14.2 immediately. And keep an eye out for the next release to close the remaining hole.
