DifyTap: Four Critical Flaws in Open-Source AI Platform Expose Cross-Tenant Chat Data
Researchers disclosed four vulnerabilities in the open-source Dify platform, collectively named DifyTap, that allow unauthenticated attackers to read AI conversations across tenant applications.
Cybersecurity researchers have disclosed details of four vulnerabilities in Dify, an open-source agentic workflow platform with more than 146,000 GitHub stars, that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers' applications without requiring authentication.
The vulnerabilities have been collectively codenamed DifyTap by Zafran Security. "Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify's multi-tenant cloud service, allowing one customer's data to be exposed to another," researchers Ido Shani and Gal Zaban said.
The security defects could have allowed attackers to read private AI chats from other customers' applications, creating a covert exfiltration channel for every message and model response. They also made it possible to traverse Dify's internal Plugin Daemon API from unauthenticated requests and trigger cross-tenant internal API calls, as well as preview documents uploaded by other tenants and leak files across users within a tenant by attaching another user's file unique identifier.
Separately, Zafran said it also discovered that Dify's file parsing stack relied on a version of PDFium, an open-source C++ library for PDF rendering, that was vulnerable to CVE-2024-5846 (CVSS score: 8.8), a two-year-old use-after-free bug that could allow a remote attacker to potentially exploit heap corruption via a crafted PDF file.
The remaining vulnerabilities include CVE-2026-41947 (CVSS 9.1), an authorization bypass allowing authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership; CVE-2026-41948 (CVSS 9.4), a path traversal flaw enabling authenticated users to manipulate requests to the Plugin Daemon's internal REST API; CVE-2026-41949 (CVSS 7.5/5.9), an authorization bypass in the file preview endpoint allowing any authenticated user to read up to 3,000 characters of any uploaded document across all tenants; and CVE-2026-41950 (CVSS 6.5), an authorization bypass allowing authenticated users to read full file contents of other users within the same tenant.
The missing tenant ownership checks can be exploited to redirect all messages and responses from victim applications to an attacker-controlled LLM trace provider. "Consequently, an attacker can configure their own tracing for any application they can access as a client, which includes all publicly accessible applications," the researchers explained. "This allows an attacker to create a persistent exfiltration channel for all messages and responses sent in the application."
Following responsible disclosure, all vulnerabilities barring CVE-2026-41948 have been addressed in version 1.14.2, which was shipped last month. A fix for the pending flaw is expected to be made available in the next release of Dify. "DifyTap demonstrates where the challenge lies in vulnerability visibility, particularly in container images, where differences between deployments can create visibility gaps that traditional scanners cannot detect," the company said.