VYPR
Critical severity9.4NVD Advisory· Published May 18, 2026· Updated May 26, 2026

CVE-2026-41948

CVE-2026-41948

Description

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Langgenius/Difyreferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:dify:dify:*:*:*:*:*:*:*:*range: <=1.14.1
    • (no CPE)range: <=1.14.1

Patches

Vulnerability mechanics

References

3

News mentions

5