[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fENVT3mn9S00i0lsi-k8OCpNdv3jTe0AcTdXP4wvu0XM":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"45bf36bb-39ac-46c7-a197-7a5fd5a8c938","Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants","researchers-detail-difytap-flaws-in-dify-that-could-expose-ai-chats-across-tenan-a5471b","Cybersecurity researchers have disclosed details of four vulnerabilities in Dify, an open-source agentic workflow platform with more than 146,000 GitHub stars, that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers' applications without requiring authentication. The vulnerabilities have been collectively codenamed DifyTap by Zafran Security.","Cybersecurity researchers have identified four critical vulnerabilities in the open-source AI platform Dify, collectively named DifyTap. These flaws could allow attackers to access and exfiltrate AI chat conversations from other tenants without authentication, bypass authorization checks, and traverse internal APIs. One vulnerability also leverages a known PDFium flaw, CVE-2024-5846.","Four Dify vulnerabilities, dubbed DifyTap, allow unauthorized access to AI chats across tenants.","Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants Ravie LakshmananJun 22, 2026AI Security \u002F Vulnerability Cybersecurity researchers have disclosed details of four vulnerabilities in Dify, an open-source agentic workflow platform with more than 146,000 GitHub stars, that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers' applications without requiring authentication. The vulnerabilities have been collectively codenamed DifyTap by Zafran Security. \"Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify's multi-tenant cloud service, allowing one customer's data to be exposed to another,\" researchers Ido Shani and Gal Zaban said. The security defects could have allowed attackers to read private AI chats from other customers' applications, creating a covert exfiltration channel for every message and model response. They also made it possible to traverse Dify's internal Plugin Daemon API from unauthenticated requests and trigger cross-tenant internal API calls, as well as preview documents uploaded by other tenants and leak files across users within a tenant by attaching another user's file unique identifier. Separately, Zafran said it also discovered that Dify's file parsing stack relied on a version of PDFium, an open-source C++ library for PDF rendering, that was vulnerable to CVE-2024-5846 (CVSS score: 8.8), a two-year-old use-after-free bug that could allow a remote attacker to potentially exploit heap corruption via a crafted PDF file. The remaining vulnerabilities are listed below - CVE-2026-41947 (CVSS score: 9.1) - An authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. CVE-2026-41948 (CVSS score: 9.4) - A path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization and access internal, private endpoints. CVE-2026-41949 (CVSS score: 7.5\u002F5.9) - An authorization bypass vulnerability in the file preview endpoint (\"\u002Fconsole\u002Fapi\u002Ffiles\u002F{file_id}\u002Fpreview\") that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. CVE-2026-41950 (CVSS score: 6.5) - An authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. The missing tenant ownership checks can be exploited to redirect all messages and responses from victim applications to an attacker-controlled LLM trace provider. It's worth noting that anyone can freely register for a Dify account. \"Consequently, an attacker can configure their own tracing for any application they can access as a client, which includes all publicly accessible applications,\" the researchers explained. \"This allows an attacker to create a persistent exfiltration channel for all messages and responses sent in the application.\" Following responsible disclosure, all vulnerabilities barring CVE-2026-41948 have been addressed in version 1.14.2, which was shipped last month. A fix for the pending flaw is expected to be made available in the next release of Dify. \"DifyTap demonstrates where the challenge lies in vulnerability visibility, particularly in container images, where differences between deployments can create visibility gaps that traditional scanners cannot detect,\" the company said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI Security, Cloud security, data exfiltration, Path Traversal, Vulnerability ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fresearchers-detail-difytap-flaws-in.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjrjCumekV1hjkgdgebp4RqfYc_Yt9Swv4lG7ds3XMDHG9f-JxSuJSWY3UcWIoivJoJkJjdlBvtiQAHKy7NNgApCoD8ADtOpicXvKf9RJwAZT1DEGUkgX87bmSR8cO75Ss__mnLn8MyDEddnzhyphenhyphenRfcf_gWEtoLiKu53yXNQJtT0DP7nZufqBhB3P8VmvV48\u002Fs1600\u002Fdify.png","2026-06-22T16:13:28+00:00","2026-06-22T18:00:18.159039+00:00",8,[18,21,24,26],{"name":19,"type":20},"Dify","product",{"name":22,"type":23},"AI","technology",{"name":25,"type":20},"PDFium",{"name":27,"type":28},"Zafran Security","vendor","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":29,"icon":31,"name":32,"slug":33},null,"Vulnerabilities","vulnerabilities",[35,37,42,47],{"category":36},{"id":29,"icon":31,"name":32,"slug":33},{"category":38},{"id":39,"icon":31,"name":40,"slug":41},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":43},{"id":44,"icon":31,"name":45,"slug":46},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":48},{"id":49,"icon":31,"name":50,"slug":51},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",[53,57,60,63,66],{"type":54,"value":55,"context":56},"cve","CVE-2024-5846","Vulnerability in PDFium library used by Dify",{"type":54,"value":58,"context":59},"CVE-2026-41947","Authorization bypass in trace configurations",{"type":54,"value":61,"context":62},"CVE-2026-41948","Path traversal vulnerability in Plugin Daemon API",{"type":54,"value":64,"context":65},"CVE-2026-41949","Authorization bypass in file preview endpoint",{"type":54,"value":67,"context":68},"CVE-2026-41950","Authorization bypass for reading files across users within a tenant"]