Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps

Four critical vulnerabilities in Dify AI platform (CVE-2026-41947, CVE-2026-41948, CVE-2026-41950) enable unauthorized access to private chats, cross-tenant document theft, and lateral API calls across multi-tenant environments. The platform powers 1 million applications, making this a widespread supply chain risk. Unpatched instances are immediately exploitable.

CRITICALAdvisoryJun 24, 2026

Action required

Identify all Dify deployments in your environment. Immediately patch to version 1.14.2 or later. Deploy WAF rules blocking CVE-2026-41948 exploitation vectors on all Dify instances pending patching. Hunt for anomalous cross-tenant API calls and unauthorized document/chat access in logs.

Affected products

DifyZafran Security

CVE IDs

CVE-2026-41947 CVE-2026-41950 CVE-2026-41948

Linked articles

Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps

Source links

https://www.securityweek.com/data-exposure-flaws-threaten-dify-ai-platform-powering-over-1-million-apps/