Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable SQL injection with low complexity, but requires an authenticated low-privilege account (PR:L); full CIA impact confined to the ClickHouse data store, so scope unchanged.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the search_by_full_text method without escaping or parameterization. Attackers can inject malicious SQL through the search parameters to read, modify, or delete data in the underlying ClickHouse database.
AnalysisAI
SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute arbitrary SQL against the underlying ClickHouse database by passing unsanitized search parameters into the search_by_full_text method. Because those parameters are concatenated into the query without escaping or parameterization, an attacker can read, modify, or delete stored vector-store data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Dify instance is configured to use the MyScale vector store backend - the vulnerable search_by_full_text path only runs for MyScale/ClickHouse deployments, so instances using any other vector store are not exploitable via this flaw. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) reflects network reachability, low attack complexity, and full high impact to confidentiality, integrity, and availability of the vulnerable system, but requires low-level privileges (PR:L) - an authenticated Dify account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privilege Dify account uses a knowledge-base or dataset full-text search feature and supplies a crafted search string containing SQL syntax. Because search_by_full_text concatenates that input directly into the MyScale/ClickHouse query, the injected SQL executes, letting the attacker dump other tenants' embedded documents or delete records. … |
| Remediation | Upgrade to Dify 1.16.0-rc1 or later, which contains the fix (commit d9884efaeea8322706e24c560d2c17e5bf3fab5f, merged via pull request #38295) - Vendor-released patch: 1.16.0-rc1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Dify instances with MyScale backend enabled and review ClickHouse access logs for anomalous SQL activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and
Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another t
A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts
Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters o
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess a
In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an
Dify is an open-source LLM app development platform. Rated high severity (CVSS 7.6), this vulnerability is remotely expl
A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log
langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5
CVE-2025-3466 is a security vulnerability (CVSS 7.2). Risk factors: public PoC available. Vendor patch is available.
A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sa
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42973
GHSA-hw83-q5rh-7hgf