DifyTap: Four CVEs Expose Broken Cross-Tenant Isolation in Dify

Zafran Security disclosed four vulnerabilities in the DifyTap bundle on June 22, 2026, affecting Dify, an open-source AI workflow platform with over 146,000 GitHub stars. Two are rated critical severity, two required no authentication, and three had cross-tenant impact on the multi-tenant cloud service, allowing an attacker to read conversations, files, and redirect AI data flows between distinct tenants. The disclosure comes a month after the release of version 1.14.2, which fixed three of the four flaws, and reopens a wound first probed by Imperva research in May 2026 on the same pattern of insufficient isolation.

The Four Flaws: From Trace Hijacking to File Read with Just a UUID

CVE-2026-41947 is an authorization bypass with CVSS 9.1 that exploits the lack of tenant ownership checks in trace configuration endpoints. An authenticated attacker with editor privileges can configure tracing for any public application, redirecting all messages and responses to an LLM trace provider controlled by the attacker. Zafran Security describes the mechanism as a "persistent exfiltration channel": not a one-time read, but a continuous intercept of the conversational flow.

CVE-2026-41948, with CVSS 9.4, carries the highest score in the bundle. It is a path traversal in the internal Plugin Daemon API that allows traversing paths outside the authorized tenant using unencoded dot sequences in task identifiers or manipulated filename parameters, accessing private internal endpoints such as debug interfaces. This is the only one of the four vulnerabilities without a released fix at the time of disclosure.

CVE-2026-41949 (CVSS 7.5/5.9 per NVD metrics) concerns the file preview endpoint: any authenticated user can read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file UUID. The 3,000-character threshold is a technical limit that does not mitigate the impact: knowing the UUID, an identifier often exposed in logs, URLs, or API responses, is sufficient.

CVE-2026-41950 (CVSS 6.5) is an authorization bypass in the chat-messages endpoint that allows authenticated users to read the full content of files uploaded by other users in the same tenant by supplying an arbitrary UUID in the request's files array. According to NVD the fix is in version 1.14.0; Zafran places the DifyTap bundle fix in 1.14.2. The discrepancy cannot be resolved without access to full release notes, and the dossier does not clarify it.

The Hidden Dependency: PDFium Vulnerable for Two Years

Dify's file parsing stack used a version of PDFium vulnerable to CVE-2024-5846, a use-after-free with CVSS 8.8 disclosed in 2024. Zafran Security cites it as a vulnerable component in the platform's document processing chain, but the dossier does not document whether this dependency was exploited in combination with the DifyTap flaws or represents an independent additional vector. The presence of a parsing library two years behind on patches indicates an upstream dependency management problem that traditional container vulnerability scanners may miss if deployment images differ between environments.

The Context: From Imperva to Zafran, a Repeating Pattern

On May 18, 2026, Imperva published research on cross-tenant vulnerabilities in Dify, with patterns of insufficient isolation on file upload and sandbox. Cybernews picked up the story on May 20, reporting over 10 million Docker pulls as an indicator of adoption. The Imperva flaws and the Zafran flaws are distinct: there is no overlap in CVEs or researchers. But the convergence of two independent teams on the same target with the same type of architectural error — missing cross-tenant ownership checks — turns a single advisory into a sector-wide alarm bell.

"Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify's multi-tenant cloud service, allowing one customer's data to be exposed to another" — Ido Shani and Gal Zaban, Zafran Security

The lack of authentication for two of the four vulnerabilities is particularly critical because Dify Cloud allows free registration without identity verification. An attacker can create accounts at will and operate from inside the cloud perimeter, with minimal privileges but sufficient to trigger three of the four flaws. The attack surface is not that of a hardened system with zero external access: it is that of a platform open by design, where isolation between tenants is the only wall separating different companies' data.

Why DifyTap Evades Standard Tools

Zafran Security raised a specific point on vulnerability visibility in containers: "DifyTap demonstrates where the challenge lies in vulnerability visibility, particularly in container images, where differences between deployments can create visibility gaps that traditional scanners cannot detect." The Dify platform is distributed via Docker with a modular architecture: API server, worker, plugin daemon, database, and proxy are separate services. An update to the plugin daemon may not propagate instantly to all self-hosted instances, or be masked by deployment customizations that alter the fingerprint recognized by scanners.

The problem is not technically new, but it amplifies in the AI context: low-code/no-code platforms for agentic workflows centralize high-sensitivity data — LLM provider API keys, proprietary workflows, user conversations — without having inherited the hardening practices matured over years of traditional SaaS. Feature release velocity outpaces architectural review on isolation, and the result is a "tenant illusion" that promises separation but implements insufficient controls.

Immediate Actions

• Update immediately to Dify 1.14.2 to close CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950; CVE-2026-41948 remains without a confirmed patch and requires monitoring of future releases.
• Verify the presence of unauthorized trace configurations in public Dify applications: an attacker may have already redirected flows to external providers without leaving obvious traces in standard logs.
• Check uploaded file UUIDs: if exposed in URLs, API responses, or logs, they were usable as the sole requirement for cross-tenant reads up to 3,000 characters or full content same-tenant.
• Review the document parsing chain: the dependency on PDFium vulnerable to CVE-2024-5846 requires verification of the version actually running, independent of the DifyTap fix.

An Industry Running Faster Than Its Defenders

DifyTap is not a chain of sophisticated exploits: it is a series of missing ownership checks in critical endpoints, combined with an unpatched dependency. The simplicity is the symptom. When two independent research teams find the same architectural error a month apart on a platform with 146,000 GitHub stars, the problem is no longer the single vendor but the sector that has turned AI tooling into critical infrastructure without transferring the isolation controls matured elsewhere. Containers hide deployment differences, AI platforms hide multi-tenant complexities behind simple interfaces, and scanners do not see what is not static in the image.

Information verified against cited sources and current as of publication.

Sources

• https://thehackernews.com/2026/06/researchers-detail-difytap-flaws-in.html
• https://securityboulevard.com/2026/05/dify-when-your-ai-platform-becomes-the-attack-surface/
• https://www.imperva.com/blog/dify-when-your-ai-platform-becomes-the-attack-surface/
• https://cybernews.com/security/dify-critical-vulnerabilities-disclosed/
• https://nvd.nist.gov/vuln/detail/CVE-2024-5846
• https://nvd.nist.gov/vuln/detail/CVE-2026-41947
• https://nvd.nist.gov/vuln/detail/CVE-2026-41948
• https://nvd.nist.gov/vuln/detail/CVE-2026-41949
• https://nvd.nist.gov/vuln/detail/CVE-2026-41950