Multiple critical vulnerabilities in Dify could expose sensitive AI data across tenants and potentially impact more than one million applications.
Dify, which powers AI workflows, chatbots, and retrieval-augmented generation (RAG) pipelines, is heavily adopted across enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher.
With more than 140,000 GitHub stars and over 10 million Docker pulls, the platform has become a core component in production AI systems.
Zafran identified tens of thousands of internet-facing Dify instances during its investigation, highlighting the potential scale of exposure.
Critical Cross-Tenant Data Exposure
The research uncovered four vulnerabilities, including two critical flaws, CVE-2026-41947 (CVSS 9.1) and CVE-2026-41948 (CVSS 9.4).
Three of the four issues enable cross-tenant attacks in Dify’s multi-tenant cloud deployment, allowing attackers to access data belonging to other customers.
One of the most severe issues is that attackers can configure tracing on victim applications without proper tenant validation.
By abusing this flaw, an attacker can capture full chat histories, including prompts and model responses, effectively creating a persistent data exfiltration channel.
Another critical vulnerability affects Dify’s Plugin Daemon service. Due to improper input handling, attackers can exploit path traversal flaws via crafted GET and POST requests to access internal APIs.
Notably, these endpoints do not require authentication, thereby significantly increasing the risk of exploitation. The vulnerabilities also affect Dify’s file-handling mechanisms. Researchers found that attackers could:
- Preview documents uploaded by other tenants without authorization.
- Access sensitive files, including PDFs and images, using only file UUIDs.
- Attach existing file identifiers to new messages to trick AI models into revealing the contents of those files.
These flaws stem from weak permission enforcement and indirect access control models, enabling both cross-tenant and intra-tenant data leakage.
In addition to logic flaws, Dify was found to be using an outdated version of PDFium, which is vulnerable to CVE-2024-5846, a use-after-free bug.
The vulnerable component remained in production for over 18 months after disclosure, allowing attackers to potentially exploit the issue by uploading malicious PDF files.
This highlights a broader issue in AI platforms that process untrusted file formats without adequate sandboxing or dependency management.
Dify has released version 1.14.2, which addresses CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950. A fix for CVE-2026-41948 has been merged and is expected in an upcoming release.
Security teams should immediately upgrade to the latest Dify version, deploy WAF rules to block path traversal attacks, monitor plugin and file-related endpoints for suspicious activity, and limit public exposure of Dify instances whenever possible.
The findings are part of Zafran’s “Project DarkSide,” which focuses on uncovering systemic weaknesses in AI infrastructure.
Similar to prior research on the Chainlit framework, this disclosure highlights how modern AI systems, often built on microservices and containerized environments, introduce new attack surfaces that traditional security tools fail to detect.
To address this gap, Zafran introduced a technique called “shadow container image component enrichment,” which improves visibility into application-level vulnerabilities hidden within container images.
An example scenario demonstrates the risk: an attacker signs up for a free Dify cloud account, identifies a public AI application, extracts its internal App ID, and silently enables tracing, gaining continuous access to all user interactions without detection.
As AI adoption accelerates, these vulnerabilities underscore the urgent need for stronger isolation, secure architecture design, and improved visibility across AI supply chains.
