Skip to main content

Dify EUVDEUVD-2026-30771

| CVE-2026-41948 CRITICAL
Relative Path Traversal (CWE-23)
2026-05-18 VulnCheck GHSA-h666-98mq-949j
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
CVSS changed
May 26, 2026 - 17:22 NVD
9.2 (CRITICAL) 9.3 (CRITICAL)
Analysis Updated
May 18, 2026 - 15:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 18, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
May 18, 2026 - 15:22 NVD
HIGH CRITICAL
CVSS changed
May 18, 2026 - 15:22 NVD
7.7 (HIGH) 9.2 (CRITICAL)
Source Code Evidence Fetched
May 18, 2026 - 15:00 vuln.today
Analysis Generated
May 18, 2026 - 15:00 vuln.today

DescriptionCVE.org

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

AnalysisAI

Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and reach the Plugin Daemon's internal REST API, including debug interfaces, by smuggling unencoded dot sequences through task identifiers or filename parameters. Because Dify Cloud permits unauthenticated free self-registration, the authentication barrier collapses to trivial account creation, and publicly available exploit code exists; the attacker only needs the victim tenant's UUID to pivot. CVSS 4.0 is rated 9.2 with high confidentiality and integrity impact.

More in Dify

View all
CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2026-41947 CRITICAL POC
9.3 May 18

Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another t

CVE-2025-1796 HIGH POC
8.8 Mar 20

A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts

CVE-2026-61461 HIGH POC
8.7 Jul 10

SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute a

CVE-2026-41949 HIGH POC
8.2 May 18

Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters o

CVE-2024-12039 HIGH POC
8.1 Mar 20

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess a

CVE-2024-12776 HIGH POC
8.1 Mar 20

In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an

CVE-2025-43862 HIGH POC
7.6 Apr 25

Dify is an open-source LLM app development platform. Rated high severity (CVSS 7.6), this vulnerability is remotely expl

CVE-2024-11824 HIGH POC
7.6 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log

CVE-2024-11822 HIGH POC
7.5 Mar 20

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5

CVE-2025-3466 HIGH POC
7.2 Jul 07

CVE-2025-3466 is a security vulnerability (CVSS 7.2). Risk factors: public PoC available. Vendor patch is available.

CVE-2024-10252 HIGH POC
7.2 Mar 20

A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sa

Share

EUVD-2026-30771 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy