Dify flaws expose cross-tenant AI data, Zafran says

Zafran Security has disclosed four vulnerabilities in the open-source AI platform Dify. Three of them could expose data across tenants in Dify's cloud service.

Dify is used to build AI applications, chatbots and workflows. Zafran said the platform underpins more than 1 million applications. It also identified tens of thousands of internet-facing Dify instances and noted adoption by large companies including Volvo, Maersk, Panasonic and Thermo Fisher.

Two of the reported issues were described as critical, and two could be exploited without authentication. The flaws could let attackers read private AI conversations, preview uploaded documents from other tenants, attach another user's file to a chat flow within a tenant, and reach internal APIs through the platform's plugin architecture.

One vulnerability, tracked as CVE-2026-41947, centred on Dify's tracing functions. The relevant endpoints did not validate the sender's tenant, meaning a user with a Dify console account could configure tracing for applications outside their own tenant if they knew the target application ID.

That access could create a channel for collecting messages and model responses from public-facing applications. In Dify's cloud setup, obtaining a console account was straightforward because users can sign up to the service directly, Zafran said.

Another issue, CVE-2026-41948, involved the Plugin Daemon, which manages Dify's plugin system and exposes internal APIs. Zafran found GET and POST request paths that could be manipulated through path traversal, allowing requests to arbitrary endpoints inside the daemon.

The GET route was especially significant because it did not require login and accepted a tenant ID from the user. That opened a path to internal endpoints and created cross-tenant risk in the shared cloud environment.

Two further vulnerabilities, CVE-2026-41949 and CVE-2026-41950, concerned file handling. One allowed any console user to preview the first part of a document uploaded elsewhere in the system because the preview endpoint checked file type but not permission on the file UUID.

The other affected message attachments. Dify validated only the tenant ID when a file UUID was attached to a chat message, not whether the file was already linked to another message. That could let one user within a tenant attach another user's file and potentially prompt a chatbot to reveal its contents, Zafran said.

Patch status

CVE-2026-41947, CVE-2026-41949 and CVE-2026-41950 were patched in Dify version 1.14.2. A fix for CVE-2026-41948 has been merged into the project's codebase and will appear in the next release. Users of version 1.14.2 were advised to apply mitigations for that issue.

The findings also pointed to a separate concern in Dify's file-parsing stack. According to Zafran, the platform used a version of PDFium vulnerable to CVE-2024-5846 for more than 18 months after that issue became public, leaving systems open to a use-after-free attack if a malicious PDF was uploaded and rendered through the preview function.

The report highlights the security implications of AI application infrastructure, not just model behaviour. Dify combines low-code workflow building with hosting, authentication, persistence and plugin-based integrations, meaning weaknesses in the surrounding platform can expose data even when the model itself is not directly at fault.

Zafran also used the disclosure to argue that common container-scanning approaches may miss vulnerabilities tied to the application layer. Some scanners, it said, fail to identify the underlying project represented by a container image when code is copied directly into the image rather than packaged as a simple binary or operating system component.

That matters in Dify's case because vulnerabilities are reported at the project level, while deployed images may be labelled differently. Zafran said it has introduced what it calls "shadow container image component enrichment" to infer the application behind a container image and match it against project-level CVEs.

Wider use

Dify has become one of the more widely used open-source platforms for managing production AI applications. Zafran said the project has more than 140,000 GitHub stars, more than 10 million pulls of its API image from Docker Hub, and usage across more than 60 industries, with particularly strong popularity in China.

The research distinguishes between Dify's multi-tenant cloud deployment and local single-tenant installations. In the cloud version, a flaw in shared services can expose one customer's data to another. In local deployments, the likely impact is confined to users on the same instance, though that can still include sensitive internal information.

Zafran described the internal Plugin Daemon issue as a more fundamental design weakness because future endpoints added to that service could increase the severity of the same path traversal route. It also said AI applications that parse untrusted file formats such as PDFs, audio and video should regularly update third-party parsers and isolate those operations to reduce risk from known vulnerabilities.

"The current impact is limited in scope, primarily allowing access to debug/pprof for performance data. With this in mind, this is still a fundamental architectural flaw; any new or changed endpoint in the Plugin Daemon could become a high-severity vulnerability," Zafran Security said.