Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to redirect all messages and responses from victim applications to attacker-controlled LLM trace providers. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.
AnalysisAI
Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another tenant's LLM trace traffic - including prompts and model responses - to an attacker-controlled observability provider. Because Dify Cloud permits free self-registration, the authentication barrier is effectively trivial; publicly available exploit code exists and a vendor patch is shipped via PR #35793. The flaw is an instance of CWE-639 (insecure direct object reference) in the trace-configuration endpoints, which accepted an app_id without validating tenant ownership.
Technical ContextAI
Dify is an open-source LLM application development platform (CPE cpe:2.3:a:langgenius:dify) whose console API exposes per-application tracing controls that integrate with external observability providers such as Langfuse. The vulnerable handlers in api/controllers/console/app/app.py (AppTraceApi) and api/controllers/console/app/ops_trace.py (TraceAppConfigApi) accepted a raw app_id UUID from the URL and forwarded it directly to OpsTraceManager / OpsService without confirming that the caller's tenant owned the application - a textbook CWE-639 Authorization Bypass Through User-Controlled Key. The upstream fix replaces the raw UUID parameter with the @get_app_model decorator, which resolves the app through the requesting account's tenant scope and returns 404 when the app belongs to another tenant, as the new integration test test_trace_endpoints_hide_apps_from_other_tenants demonstrates.
RemediationAI
Upgrade Dify to the version that incorporates PR #35793 (https://github.com/langgenius/dify/pull/35793), which introduces the @get_app_model tenant-ownership decorator on the AppTraceApi and TraceAppConfigApi GET/POST/PATCH/DELETE handlers; an exact tagged release version was not provided in the input data, so confirm the fix is included against the vendor's release notes before deploying. Where immediate upgrade is impossible, compensating controls include disabling external trace-provider integrations entirely (removes the high-value sink, at the cost of losing Langfuse/observability features), placing the /console/api/apps/<app_id>/trace and /trace-config endpoints behind a reverse-proxy WAF rule that enforces session-to-tenant binding, and on Dify Cloud temporarily disabling open self-registration to raise the cost of account creation (which breaks the public signup flow). Rotate any third-party LLM trace-provider API keys that may have been exposed and audit existing trace configurations across applications for unfamiliar provider endpoints.
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and
A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts
SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute a
Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters o
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess a
In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an
Dify is an open-source LLM app development platform. Rated high severity (CVSS 7.6), this vulnerability is remotely expl
A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log
langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5
CVE-2025-3466 is a security vulnerability (CVSS 7.2). Risk factors: public PoC available. Vendor patch is available.
A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sa
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30772
GHSA-48v9-p8g8-55vg