Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Feb 27, 2026
Dify has a user enumeration issue
CVE-2026-28288
Description
Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.
Affected products
2<1.9.0+ 1 more
- (no CPE)range: <1.9.0
- (no CPE)range: < 1.9.0
Patches
Vulnerability mechanics
References
2- github.com/langgenius/dify/issues/24323mitrex_refsource_MISC
- github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.