Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants
Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants
https://thehackernews.com/2026/06/researchers-detail-difytap-flaws-in.html
Publish Date: 2026-06-22 12:13:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed details of four vulnerabilities in Dify, an open-source agentic workflow platform with more than 146,000 GitHub stars, that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers’ applications without requiring authentication.
The vulnerabilities have been collectively codenamed DifyTap by Zafran Security.
“Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify’s multi-tenant cloud service, allowing one customer’s data to be exposed to another,” researchers Ido Shani and Gal Zaban said.
The security defects could have allowed attackers to read private AI chats from other customers’ applications, creating a covert exfiltration channel for every message and model response.
They also made it possible to traverse Dify’s internal Plugin Daemon API from unauthenticated requests and trigger cross-tenant internal API calls, as well as preview documents uploaded by other tenants and leak files across users within a tenant by attaching another user’s file unique identifier.
Separately, Zafran said it also discovered that Dify’s file parsing stack relied on a version of PDFium, an open-source C++ library for PDF rendering, that was vulnerable to CVE-2024-5846 (CVSS score: 8.8), a two-year-old use-after-free bug that could allow a remote attacker to potentially exploit heap corruption via a crafted PDF file.
The remaining vulnerabilities are listed below –
- CVE-2026-41947 (CVSS score: 9.1) – An authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership.
- CVE-2026-41948 (CVSS score: 9.4) – A path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon’s internal REST API by exploiting insufficient URL path…
 "OpenAI Expands Cybersecurity Efforts With Open-Source Bug-Fixing Initiative – Firstpost")
