Researchers from Zafran Labs have uncovered a set of four vulnerabilities collectively dubbed DifyTap affecting Dify, a widely used open-source AI platform powering more than a million applications across dozens of industries. Among these issues, two are classified as critical, require no authentication for exploitation, and allow attackers to access sensitive data across different customers in shared environments.
The vulnerabilities expose serious risks, including cross-tenant data leakage, unauthorized access to private documents, and interception of AI-generated conversations. In multi-tenant deployments, this means one organization’s confidential data could potentially be accessed by another, significantly widening the impact.
Critical Vulnerabilities Enabling Data Exposure
The most severe issue, tracked as CVE-2026-41947 (CVSS 9.1), affects Dify’s tracing system responsible for recording AI interactions for monitoring and analytics. This flaw allows an attacker to configure tracing on any accessible application, including publicly available ones. By doing so, the attacker can silently capture all incoming messages and AI responses, effectively establishing a persistent data-exfiltration channel. Notably, exploiting this flaw requires nothing more than a standard user account, which can be obtained simply by registering on the platform.
Another critical vulnerability, CVE-2026-41948 (CVSS 9.4), resides within the platform’s Plugin Daemon service. Researchers identified two exploitation paths one using GET requests and another using POST both enabling unauthorized access to internal endpoints. These flaws stem from improper input validation, allowing attackers to inject path traversal payloads into requests. Even more concerning, these endpoints can be accessed without authentication, meaning any attacker with network-level access could exploit them.
File Access and Cross-Tenant Data Leakage
The two additional vulnerabilities, CVE-2026-41949 and CVE-2026-41950, relate to file handling. One flaw allows users to preview any uploaded document on the platform without verifying ownership or tenant boundaries. As a result, any authorized user could view files belonging to other organizations.
The second file-related vulnerability enables attackers to link another user’s file to their own AI interaction session. By prompting an AI model capable of file processing, attackers can trick the system into revealing the contents of the file, effectively turning the AI itself into a data exfiltration mechanism.
Additional Risks and Broader Implications
During the investigation, researchers also discovered that Dify had been running a vulnerable version of PDFium affected by a previously disclosed use-after-free flaw (CVE-2024-5846) for over a year. This vulnerability could be triggered simply by uploading a malicious PDF file, exposing systems to potential exploitation.
The findings highlight a broader security concern across AI platforms. Many of these systems process untrusted content from users such as documents, media files, or code making them susceptible to known vulnerabilities in underlying libraries like PDFium or ffmpeg. Without proper isolation or sandboxing, these components introduce additional attack vectors.
Challenges in Detection
Another notable issue uncovered during the research involves limitations in container security scanning. Dify’s architecture includes unpackaged application code embedded directly into container images. As a result, traditional vulnerability scanners fail to recognize the application as a distinct component, leaving its vulnerabilities undetected.
To address this gap, Zafran introduced a technique called “shadow container image component enrichment,” which attempts to map application code to known vulnerabilities even when standard detection methods fail. Without such advanced approaches, these flaws could remain invisible within many environments.
Mitigation and Recommendations
The vulnerabilities have been addressed in Dify version 1.14.2, and users are strongly encouraged to upgrade immediately. As an additional safeguard, deploying Web Application Firewall (WAF) rules particularly to mitigate exploitation of the Plugin Daemon flaw is recommended.
Ultimately, the DifyTap vulnerabilities underscore the challenges of securing modern AI platforms. Beyond patching, organizations should adopt stronger isolation controls, enforce strict validation mechanisms, and continuously monitor for abnormal access patterns to reduce exposure.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
