DifyTap: Four Bugs Put over 1 million AI Apps at Risk
ID: 494d0f69-bb79-5fb3-a098-608f6a509f85
STIX ID: report--494d0f69-bb79-5fb3-a098-608f6a509f85
Feed Name: Security Affairs
Zafran Labs disclosed four vulnerabilities in the Dify open-source AI platform (named DifyTap), including two critical, unauthenticated flaws (CVE-2026-41947 and CVE-2026-41948) that enable cross-tenant data exfiltration and internal endpoint access, plus file-preview and file-UUID abuse issues and a bundled vulnerable PDFium binary; the weaknesses could expose messages, documents and AI conversations across tenants in many deployed apps, and Dify 1.14.2 addresses the issues with recommendations to apply WAF rules and sandbox file parsing.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
