Skip to main content

Dify CVE-2026-41949

| EUVDEUVD-2026-30774 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-18 VulnCheck GHSA-jv3f-qwf9-wvq9
8.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 18, 2026 - 15:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 18, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
May 18, 2026 - 15:22 NVD
MEDIUM HIGH
CVSS changed
May 18, 2026 - 15:22 NVD
5.9 (MEDIUM) 8.2 (HIGH)
Source Code Evidence Fetched
May 18, 2026 - 15:01 vuln.today
Analysis Generated
May 18, 2026 - 15:01 vuln.today

DescriptionCVE.org

Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

AnalysisAI

Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters of arbitrary uploaded files across all tenants and workspaces by submitting the file's UUID to the /console/api/files/{file_id}/preview endpoint. The flaw is amplified on Dify Cloud, where free self-registration makes account creation trivial, and publicly available exploit code exists via the Huntr disclosure. No CISA KEV listing has been recorded at time of analysis, but the combination of low-friction account access and a documented PoC raises practical exposure considerably.

Technical ContextAI

Dify is an open-source LLM application development platform (CPE cpe:2.3:a:langgenius:dify) that supports multi-tenant workspaces where users upload documents to power retrieval-augmented generation pipelines. The vulnerability is a classic CWE-639 (Authorization Bypass Through User-Controlled Key): the FilePreviewApi controller in api/controllers/console/files.py called FileService.get_file_preview(file_id) using only the file UUID, and the underlying SQLAlchemy query (select(UploadFile).where(UploadFile.id file_id)) never constrained results to the requesting account's tenant. The upstream patch in PR #35797 introduces current_account_with_tenant() in the controller and adds UploadFile.tenant_id tenant_id to the WHERE clause, enforcing the missing tenant scoping check.

RemediationAI

Upstream fix available via GitHub PR https://github.com/langgenius/dify/pull/35797, which adds tenant scoping to FileService.get_file_preview; upgrade to the first released Dify version that includes this PR (a released patched version greater than 1.14.1 is not independently confirmed from the provided data, so verify the release tag against the PR merge commit before deploying). As an interim compensating control on self-hosted deployments, restrict network access to the /console/api/files/{file_id}/preview endpoint at the reverse proxy or WAF layer to trusted operator IPs, accepting that this will break legitimate in-product file previews for end users. Operators of Dify Cloud-style multi-tenant instances should additionally disable open self-registration if business policy permits, since unauthenticated signup is what converts this from an authenticated-user issue into a near-anonymous one. Review application logs for prior GETs to /console/api/files/*/preview and correlate file_id values against the uploading tenant to detect possible historical abuse.

More in Dify

View all
CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2026-41948 CRITICAL POC
9.3 May 18

Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and

CVE-2026-41947 CRITICAL POC
9.3 May 18

Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another t

CVE-2025-1796 HIGH POC
8.8 Mar 20

A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts

CVE-2026-61461 HIGH POC
8.7 Jul 10

SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute a

CVE-2024-12039 HIGH POC
8.1 Mar 20

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess a

CVE-2024-12776 HIGH POC
8.1 Mar 20

In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an

CVE-2025-43862 HIGH POC
7.6 Apr 25

Dify is an open-source LLM app development platform. Rated high severity (CVSS 7.6), this vulnerability is remotely expl

CVE-2024-11824 HIGH POC
7.6 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log

CVE-2024-11822 HIGH POC
7.5 Mar 20

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5

CVE-2025-3466 HIGH POC
7.2 Jul 07

CVE-2025-3466 is a security vulnerability (CVSS 7.2). Risk factors: public PoC available. Vendor patch is available.

CVE-2024-10252 HIGH POC
7.2 Mar 20

A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sa

Share

CVE-2026-41949 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy