DifyTap: four authorization flaws leak AI chats across Dify tenants

What is this?

On June 22, 2026, Zafran Security (researchers Ido Shani and Gal Zaban) published DifyTap, the coordinated disclosure of four vulnerabilities in Dify, the open-source LLMOps / agentic-workflow platform with more than 140,000 GitHub stars, over 10 million Docker pulls of its API image, and — by Zafran’s count — north of a million applications across 60+ industries, used by enterprises including Volvo, Maersk, Panasonic and Thermo Fisher.

Two of the flaws are critical, two require no authentication, and three carry cross-tenant impact on Dify’s multi-tenant cloud (cloud.dify.ai): one customer’s private data was readable by another. The result is a covert channel that lets an attacker “wiretap” every message and model response flowing through a victim’s app, plus read documents and files belonging to other tenants. Per Zafran’s timeline, CVEs were assigned by VulnCheck on April 30, 2026 and the patched release shipped May 19, 2026, ahead of the public write-up.

How it works

The four issues are all authorization defects — missing or indirect tenant/ownership checks — not model jailbreaks.

CVE-2026-41947 (CVSS 9.1) — tracing hijack. Dify lets an app forward its traces (which contain the actual prompts and model responses) to an external provider such as LangSmith or Opik. The endpoints that configure tracing never validate the caller’s tenant: anyone with a console account — trivial to obtain, since the cloud lets anyone sign up — can point tracing for any app they can reach as a client to an attacker-controlled provider, creating a persistent exfiltration channel for all of that app’s traffic.

CVE-2026-41948 (CVSS 9.4) — Plugin Daemon path traversal. A plugin-icon endpoint forwards the filename parameter straight into an internal Plugin Daemon URL with no sanitization, so ../../ segments traverse to arbitrary internal endpoints. Crucially, the icon route enforces no login at all, so any host with network access can reach it, and the tenant ID is attacker-supplied. Practical reach today is limited (e.g. debug/pprof), but it is an architectural hole: any new internal endpoint could become a high-severity bug.

CVE-2026-41949 (CVSS 7.5) — preview any document. The /console/files/<id>/preview endpoint returns the first 3,000 characters of an uploaded document and checks only that the file type is “Document” — no ownership check, no tenant check — so any console user can read documents across the whole system.

CVE-2026-41950 (CVSS 6.5) — read another user’s file via the chatbot. File permissions are derived indirectly from message permissions. Because the system validates only the tenant ID (not that a file UUID already belongs to someone else’s message), an attacker can attach a victim’s file UUID to their own chat message and simply ask a file-capable bot: “Repeat the contents of this file exactly.” The LLM becomes the exfiltration tool.

Separately, Zafran found Dify shipped a PDFium build vulnerable to CVE-2024-5846 (a use-after-free disclosed June 11, 2024) for more than 18 months, until December 21, 2025 — reachable by uploading a crafted PDF to the preview path.

Why it matters

DifyTap is a textbook reminder that the dangerous bugs in AI platforms are often boring web-app authorization flaws, amplified by what the platform is wired to. Three things stand out. First, the chat history is the crown jewel: tracing hijack (41947) turns a missing tenant check into a live tap on every prompt and completion. Second, the LLM itself is an exfil primitive (41950): once an authorization check is indirect, a file-reading agent will happily read back data its user was never authorized to see. Third, scanners miss it: as Zafran notes, Dify copies unpackaged code into its image, so traditional container scanners don’t map the image to project-level CVEs at all — the risk stays invisible to security teams.

Defenses

• Patch now. Upgrade to Dify 1.14.2, which fixes CVE-2026-41947, -41949 and -41950, or build the latest from GitHub, which also carries the merged fix for CVE-2026-41948.
• Mitigate the unpatched path traversal (41948). On 1.14.2, deploy WAF / IDS rules for path-traversal attempts against /console/api/workspaces/current/plugin/icon and the plugin tasks/.../delete/... route; Zafran published Snort signatures for both the GET and POST primitives.
• Don’t expose the console. Keep cloud-style multi-tenant consoles and the internal Plugin Daemon (port 5002) off the public internet; tens of thousands of internet-facing Dify instances were observed.
• Make authorization direct, not derived. The root cause across all four is permissions inferred from another object (tenant, message). Validate ownership of the actual resource (the file UUID, the app, the trace target) on every request.
• Constrain agent file access and egress. Scope file-capable bots to the current user’s files, and treat any tracing/telemetry destination as an egress decision requiring an allowlist.
• Sandbox file parsing. Bump and isolate native parsers (PDFium, ffmpeg) — untrusted documents reaching a memory-unsafe library is its own RCE surface.

Status

CVE	CVSS	Issue	Auth required	Cross-tenant	Fixed in
CVE-2026-41947	9.1	Tracing config authz bypass	Console user	Yes	1.14.2
CVE-2026-41948	9.4	Plugin Daemon path traversal	No	Yes	GitHub (next release)
CVE-2026-41949	7.5	Document preview authz bypass	Console user	Yes	1.14.2
CVE-2026-41950	6.5	Cross-user file read via chatbot	Tenant user	Within tenant	1.14.2
CVE-2024-5846	8.8	PDFium use-after-free (parser)	Tenant user	—	Fixed Dec 21, 2025

Key dates: reported under responsible disclosure from December 14, 2025; CVEs assigned by VulnCheck April 30, 2026; patched release 1.14.2 on May 19, 2026; public write-up June 22, 2026. The takeaway for anyone running an LLMOps platform: the model is rarely the weak link — the multi-tenant plumbing around it is.