VYPR
Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Feb 27, 2026

Dify has a user enumeration issue

CVE-2026-28288

Description

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.

Affected products

2
  • Langgenius/Difyllm-fuzzy2 versions
    <1.9.0+ 1 more
    • (no CPE)range: <1.9.0
    • (no CPE)range: < 1.9.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.