VYPR
Medium severity5.9NVD Advisory· Published May 18, 2026· Updated May 26, 2026

CVE-2026-41949

CVE-2026-41949

Description

Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Langgenius/Difyreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=1.14.1

Patches

Vulnerability mechanics

References

5

News mentions

4
CVE-2026-41949 · Medium · VYPR