Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.
AnalysisAI
Dify before version 1.14.0 allows authenticated users to bypass authorization controls and read arbitrary files uploaded by other users within the same tenant by supplying unauthorized file UUIDs in chat-messages API requests. The vulnerability exploits insufficient permission verification on file access endpoints, enabling attackers to circumvent workspace separation and signed URL protections to retrieve sensitive file contents processed through workflows. Publicly available exploit code exists, and a vendor-released patch (version 1.14.0) is available.
Technical ContextAI
Dify is an AI application development platform that manages file uploads and user collaboration within multi-tenant workspaces. The vulnerability resides in the chat-messages endpoints responsible for processing file references during workflow execution. The affected code fails to validate that the authenticated user owns or has explicit permission to access files identified by UUID before passing them to workflow processors. CWE-639 (Authorization Bypass Through User-Controlled Key) describes the root cause: the application accepts user-supplied file UUIDs as authorization credentials without verifying the requester's relationship to those resources. Attackers exploit this by crafting requests that reference file UUIDs belonging to other workspace members, leveraging the fact that Dify's internal processing mechanisms (workflow processors, file handlers) trust the UUID provided without re-validating ownership. The vulnerability affects the file access control layer across all tenant isolation boundaries within a single workspace.
RemediationAI
Upgrade to Dify version 1.14.0 or later immediately. The vendor has released a patched version available at https://github.com/langgenius/dify/releases/tag/1.14.0. For deployments unable to upgrade immediately, apply compensating controls: (1) Restrict chat-messages API endpoint access to a firewall rule permitting only trusted application servers or VPNs, reducing exposure to random attackers (trade-off: limits external integrations); (2) Implement strict file UUID logging and audit alerts on the chat-messages endpoint to detect anomalous UUID references not matching the authenticated user's file inventory (trade-off: requires operational monitoring overhead); (3) Enforce workspace-level file access policies at the application level by disabling file sharing across users until patched (trade-off: reduces collaboration features). Do not rely on signed URLs or workspace separation alone, as those are bypassed by this vulnerability. Review audit logs for unauthorized file access patterns using the exploit reference at https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d to understand attack signatures.
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and
Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another t
A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts
SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute a
Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters o
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess a
In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an
Dify is an open-source LLM app development platform. Rated high severity (CVSS 7.6), this vulnerability is remotely expl
A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log
langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5
CVE-2025-3466 is a security vulnerability (CVSS 7.2). Risk factors: public PoC available. Vendor patch is available.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27504