Unrated severityOSV Advisory· Published Dec 18, 2025· Updated Feb 11, 2026
CVE-2025-63386
CVE-2025-63386
Description
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20.10.0, 0.10.1, 0.10.2, …+ 1 more
- (no CPE)range: 0.10.0, 0.10.1, 0.10.2, …
- (no CPE)range: = v1.9.1
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.