logo

DifyTap: Four Bugs Put over 1 million AI Apps at Risk

ID: 494d0f69-bb79-5fb3-a098-608f6a509f85

STIX ID: report--494d0f69-bb79-5fb3-a098-608f6a509f85

Feed Name: Security Affairs

Threat Score
80/100

Date Published: 2026-06-23

Date Updated: 2026-06-24

Author: Pierluigi Paganini

...
...

Zafran Labs disclosed four vulnerabilities in the Dify open-source AI platform (named DifyTap), including two critical, unauthenticated flaws (CVE-2026-41947 and CVE-2026-41948) that enable cross-tenant data exfiltration and internal endpoint access, plus file-preview and file-UUID abuse issues and a bundled vulnerable PDFium binary; the weaknesses could expose messages, documents and AI conversations across tenants in many deployed apps, and Dify 1.14.2 addresses the issues with recommendations to apply WAF rules and sandbox file parsing.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.