EUVD-2026-23807Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse_openai_plugin_json_to_tool_bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery in Dify up to version 1.13.3 allows authenticated remote attackers to manipulate the URL argument in the ApiBasedToolSchemaParser component, enabling arbitrary HTTP requests from the server to internal or external systems. The vulnerability affects the parse_openai_plugin_json_to_tool_bundle function in api/core/tools/utils/parser.py. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) authenticated access to the Dify API - the attacker must possess valid credentials or be a legitimate user with API access (PR:L in CVSS vector confirms this requirement); (2) the ability to submit or modify an OpenAI plugin configuration containing a malicious 'url' parameter; (3) the targeted URL must be reachable from the Dify server's network perspective (e.g., internal services on the same network, metadata endpoints if Dify is cloud-hosted). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.3 with CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R indicates network-accessible SSRF with low attack complexity requiring authenticated access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user (e.g., an employee with access to a Dify instance, or an account created via public sign-up on a vulnerable deployment) submits a malicious OpenAI plugin configuration with a crafted URL pointing to an internal service (e.g., http://localhost:6379 for Redis, http://169.254.169.254/metadata for AWS metadata, or http://internal-api.example.com). When Dify parses the plugin JSON via parse_openai_plugin_json_to_tool_bundle, the unvalidated URL is used in an HTTP request made by the server. … |
| Remediation | Immediate action: upgrade Dify to a version later than 1.13.3 once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today