Security researchers at Zafran have disclosed four critical and high-severity vulnerabilities in Dify, a widely adopted open-source AI application platform used by enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher. Dubbed “DifyTap,” the vulnerability set enables attackers to silently intercept AI conversations across tenant boundaries, access files belonging to other customers, and potentially exploit an outdated PDF rendering library — all without requiring elevated privileges. With over 140,000 GitHub stars, 10 million Docker pulls, and an estimated one million applications built on the platform, the attack surface is significant.
What Is Dify?
Dify is a platform for building AI workflows, chatbots, and Retrieval-Augmented Generation (RAG) pipelines. It is deployed both as a self-hosted solution and as a multi-tenant cloud service, where multiple organizations share underlying infrastructure while expecting strict data isolation between their tenants. The DifyTap vulnerabilities primarily undermine that isolation guarantee.
The Four Vulnerabilities
Zafran identified four flaws across Dify’s architecture:
- CVE-2026-41947 (CVSS 9.1) — Cross-Tenant Tracing Abuse: Attackers can configure conversation tracing on victim applications without proper tenant validation, enabling continuous capture of full chat histories — including all user prompts and AI model responses — from other tenants’ applications. This creates a persistent, silent data exfiltration channel.
- CVE-2026-41948 (CVSS 9.4) — Plugin Daemon Path Traversal: Dify’s Plugin Daemon service is vulnerable to path traversal via crafted GET and POST requests, allowing attackers to access internal APIs. Critically, these endpoints require no authentication, dramatically lowering the barrier to exploitation.
- CVE-2026-41949 & CVE-2026-41950 — File Access Without Authorization: Attackers can preview documents uploaded by other tenants using only file UUIDs, and can attach those file identifiers to new AI conversations to trick models into revealing the contents of other customers’ private files.
- Outdated PDFium (CVE-2024-5846): Dify was found running a version of PDFium vulnerable to a use-after-free bug that remained in production for over 18 months after public disclosure, allowing potential exploitation via malicious PDF uploads.
A Real-World Attack Scenario
Zafran demonstrated how an attacker with only a free Dify cloud account could execute the following attack chain:
- Sign up for a free Dify cloud account
- Identify a public AI application and extract its internal App ID
- Abuse CVE-2026-41947 to silently enable tracing on that application
- Gain continuous, real-time access to all user conversations — without the victim organization receiving any alerts
This scenario requires no special privileges and leaves minimal forensic traces, making detection extremely difficult without specific monitoring in place.
Scale of Exposure
During its investigation, Zafran identified tens of thousands of internet-facing Dify instances, meaning a significant proportion of deployments are reachable by external attackers. Organizations running Dify in cloud or hybrid environments without network-level access controls are particularly exposed. The platform’s widespread enterprise adoption — particularly in regulated sectors that handle sensitive data — amplifies the potential impact of these flaws.
Patch Availability
Dify has released version 1.14.2, which addresses CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950. A fix for CVE-2026-41948 (the unauthenticated Plugin Daemon path traversal) has been merged into the codebase and is expected in an upcoming release. Organizations should upgrade to 1.14.2 immediately and monitor the Dify release channel for the follow-up patch.
Recommended Mitigations
- Upgrade immediately to Dify version 1.14.2 or later
- Restrict public exposure of Dify instances — avoid exposing the Plugin Daemon or internal API endpoints to the internet
- Deploy WAF rules to detect and block path traversal patterns (e.g.,
../sequences in request paths) - Monitor plugin and file-related API endpoints for anomalous cross-tenant access patterns
- Audit tracing configurations across all applications to detect unauthorized tracing enabled by external actors
Broader AI Security Implications
The DifyTap disclosure is part of Zafran’s “Project DarkSide” initiative, which focuses on identifying systemic weaknesses in AI infrastructure. The findings echo concerns raised by researchers studying other AI frameworks: as enterprises race to deploy AI workflows and chatbot systems, the underlying platforms are often built on microservices and containerized architectures that introduce new attack surfaces not addressed by traditional security tools.
Zafran also introduced a technique called “shadow container image component enrichment” to improve visibility into application-level vulnerabilities hidden inside container images — a capability gap that allowed the outdated PDFium library to persist undetected in production for 18 months. Security teams deploying AI platforms should incorporate container image scanning into their vulnerability management programs and pay close attention to indirect dependencies that may not appear in standard software bills of materials (SBOMs).