Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.
AnalysisAI
Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters of arbitrary uploaded files across all tenants and workspaces by submitting the file's UUID to the /console/api/files/{file_id}/preview endpoint. The flaw is amplified on Dify Cloud, where free self-registration makes account creation trivial, and publicly available exploit code exists via the Huntr disclosure. No CISA KEV listing has been recorded at time of analysis, but the combination of low-friction account access and a documented PoC raises practical exposure considerably.
Technical ContextAI
Dify is an open-source LLM application development platform (CPE cpe:2.3:a:langgenius:dify) that supports multi-tenant workspaces where users upload documents to power retrieval-augmented generation pipelines. The vulnerability is a classic CWE-639 (Authorization Bypass Through User-Controlled Key): the FilePreviewApi controller in api/controllers/console/files.py called FileService.get_file_preview(file_id) using only the file UUID, and the underlying SQLAlchemy query (select(UploadFile).where(UploadFile.id file_id)) never constrained results to the requesting account's tenant. The upstream patch in PR #35797 introduces current_account_with_tenant() in the controller and adds UploadFile.tenant_id tenant_id to the WHERE clause, enforcing the missing tenant scoping check.
RemediationAI
Upstream fix available via GitHub PR https://github.com/langgenius/dify/pull/35797, which adds tenant scoping to FileService.get_file_preview; upgrade to the first released Dify version that includes this PR (a released patched version greater than 1.14.1 is not independently confirmed from the provided data, so verify the release tag against the PR merge commit before deploying). As an interim compensating control on self-hosted deployments, restrict network access to the /console/api/files/{file_id}/preview endpoint at the reverse proxy or WAF layer to trusted operator IPs, accepting that this will break legitimate in-product file previews for end users. Operators of Dify Cloud-style multi-tenant instances should additionally disable open self-registration if business policy permits, since unauthenticated signup is what converts this from an authenticated-user issue into a near-anonymous one. Review application logs for prior GETs to /console/api/files/*/preview and correlate file_id values against the uploading tenant to detect possible historical abuse.
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and
Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another t
A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts
SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute a
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess a
In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an
Dify is an open-source LLM app development platform. Rated high severity (CVSS 7.6), this vulnerability is remotely expl
A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log
langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5
CVE-2025-3466 is a security vulnerability (CVSS 7.2). Risk factors: public PoC available. Vendor patch is available.
A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sa
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30774
GHSA-jv3f-qwf9-wvq9