Four vulnerabilities in the open source AI platform Dify could be exploited to siphon other tenants’ data in multi-tenant cloud configurations, Zafran Security warns.
A highly popular LLMOps platform for creating, deploying, maintaining, and monitoring AI applications, Dify powers over 1 million applications across more than 50 industries.
Called DifyTap, the newly uncovered security defects in the platform allowed attackers to read private chats from other customers’ applications, trigger cross-tenant internal API calls, preview documents uploaded by other tenants, and leak other users’ files within the same tenant.
Tracked as CVE-2026-41947 (CVSS score of 9.1), the first issue existed in Dify’s tracing functionality, which supports profiling and monitoring AI applications.
Because the endpoints relevant to configuring tracing did not validate the sender’s tenant, attackers could send requests for any application hosted on the instance. Exploitation requires a Dify console user, which is available to anyone signing up for the platform.
“An attacker can configure their own tracing for any application they can access as a client, which includes all publicly accessible applications. This allows an attacker to create a persistent exfiltration channel for all messages and responses sent in the application,” Zafran explains.
The second flaw, tracked as CVE-2026-41948 (CVSS score of 9.4), impacts the plugin daemon, which is responsible for managing and running Dify plugins.
Two primitives in the daemon provide attackers with access to arbitrary API endpoints via GET and POST requests and could be abused to perform path traversal attacks, to fetch other tenants’ plugin icons, or affect other tenants’ environments.
The remaining two vulnerabilities, tracked as CVE-2026-41949 and CVE-2026-41950, are high-severity defects related to how file identification and access permissions are handled in Dify, allowing attackers to preview files uploaded by other tenants or retrieve files uploaded by other users on the same tenant.
Zafran also discovered that, for roughly one and a half years, until December 21, 2025, the PDF parsing library used by the preview endpoint used Chromium PDFium binary version 126.0.6462.0, which was vulnerable to CVE-2024-5846, a use-after-free bug disclosed in June 2024.
Dify version 1.14.2 was released with patches for the discovered vulnerabilities. Users are advised to update to the fixed iteration as soon as possible and to implement WAF rules specifically designed to mitigate CVE-2026-41948.
Related: Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks
Related: FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances
Related: Russian Initial Access Broker Behind FortiBleed Campaign
Related: Trump Signs Executive Order Accelerating Post-Quantum Cryptography Migration
