What are the four critical vulnerabilities found in Dify?

The four critical vulnerabilities are collectively known as DifyTap, which include CVE-2026-41947 (CVSS score of 9.1), CVE-2026-41948 (CVSS score of 9.4), and two unnamed flaws.

What is the impact of CVE-2026-41948?

CVE-2026-41948, found in the Plugin Daemon, allows attackers to access arbitrary endpoints within the service with no authentication.

Critical Vulnerabilities Discovered in Dify Platform Used by Major Companies

Q: How do the vulnerabilities affect Dify's tracing system?

CVE-2026-41947, found in Dify's tracing system, allows an attacker to configure their own tracing for any application they can access as a client, creating a persistent exfiltration channel.

Q: Which companies use Dify for their AI workflows?

Dify is used by major companies like Volvo, Maersk, Panasonic, and Thermo Fisher for their AI workflows.

Four severe flaws, collectively known as DifyTap, found in open-source AI workflow platform could expose sensitive data across tenants and impact over one million applications.

Researchers have disclosed four critical vulnerabilities in Dify, an open-source agentic workflow platform used by major companies to power AI workflows, chatbots, and retrieval-augmented generation (RAG) pipelines. The flaws, collectively known as DifyTap, could allow attackers to expose sensitive AI data across tenants and potentially impact over one million applications.

What Happened

The vulnerabilities were discovered by Zafran Security researchers, who identified tens of thousands of internet-facing Dify instances during their investigation. The flaws stem from weak permission enforcement and indirect access control models, enabling both cross-tenant and intra-tenant data leakage. Three of the four issues enable cross-tenant attacks in Dify's multi-tenant cloud deployment, allowing attackers to access data belonging to other customers.

The most severe flaw is CVE-2026-41947 (CVSS score of 9.1), which lives in Dify's tracing system. An attacker can configure their own tracing for any application they can access as a client, including all publicly accessible applications. This allows an attacker to create a persistent exfiltration channel for all messages and responses sent in the application.

The second critical flaw, tracked as CVE-2026-41948 (CVSS score of 9.4), resides in the Plugin Daemon, the internal service that runs Dify's plugin system. The researchers discovered two primitives that allow access to arbitrary endpoints within the Plugin Daemon: one via GET and one via POST. Both primitives require no authentication, making it easy for attackers to exploit them.

Background and Context

Dify is an open-source agentic workflow platform with over 146,000 GitHub stars and more than 10 million Docker pulls. It powers AI workflows, chatbots, and RAG pipelines for major companies like Volvo, Maersk, Panasonic, and Thermo Fisher. The platform has become a core component in production AI systems, making the vulnerabilities disclosed by Zafran Security particularly concerning.

The researchers found that Dify's tracing system is vulnerable to CVE-2026-41947 (CVSS score of 9.1), which allows attackers to configure their own tracing for any application they can access as a client. This flaw is particularly severe because it enables an attacker to create a persistent exfiltration channel for all messages and responses sent in the application.

The Plugin Daemon, responsible for running Dify's plugin system, is also vulnerable to CVE-2026-41948 (CVSS score of 9.4). The researchers discovered two primitives that allow access to arbitrary endpoints within the Plugin Daemon: one via GET and one via POST. Both primitives require no authentication, making it easy for attackers to exploit them.

Why It Matters to the Industry

The DifyTap vulnerabilities have significant implications for the adult industry, which relies heavily on AI-powered platforms for content creation and moderation. The flaws could allow attackers to expose sensitive AI data across tenants and potentially impact over one million applications. This raises concerns about data privacy, security, and compliance with regulations such as GDPR and CCPA.

The vulnerabilities also highlight the importance of robust permission enforcement and indirect access control models in AI platforms. Weak permission enforcement can lead to cross-tenant and intra-tenant data leakage, compromising sensitive information and putting users at risk.

What Comes Next

Dify has not yet issued a statement on the vulnerabilities or provided any patches or updates to address them. However, the researchers have made their findings public, and it is essential for Dify's users and administrators to take immediate action to mitigate the risks associated with these flaws.

Key Facts

The DifyTap vulnerabilities could allow attackers to expose sensitive AI data across tenants and potentially impact over one million applications.
The most severe flaw, CVE-2026-41947 (CVSS score of 9.1), lives in Dify's tracing system and allows attackers to create a persistent exfiltration channel for all messages and responses sent in the application.
The second critical flaw, CVE-2026-41948 (CVSS score of 9.4), resides in the Plugin Daemon and requires no authentication to exploit.
Dify is an open-source agentic workflow platform with over 146,000 GitHub stars and more than 10 million Docker pulls.
The vulnerabilities highlight the importance of robust permission enforcement and indirect access control models in AI platforms.