DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories
Dark ReadingArchived Jun 23, 2026✓ Full text saved
Four vulnerabilities allow attackers to exploit Dify, a platform for AI application building and management, to silently access and exfiltrate sensitive data.
Full text archived locally
✦ AI Summary· Claude Sonnet
APPLICATION SECURITY
VULNERABILITIES & THREATS
DATA PRIVACY
СLOUD SECURITY
NEWS
DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories
Four vulnerabilities allow attackers to exploit Dify, a platform for AI application building and management, to silently access and exfiltrate sensitive data.
Alexander Culafi,Senior News Writer,Dark Reading
June 22, 2026
3 Min Read
SOURCE: OLENA BARTIENIEVA VIA GETTY IMAGES
A new set of bugs in a popular AI building platform could allow attackers to effectively wiretap vulnerable customers.
Researchers with security vendor Zafran discovered a series of four vulnerabilities in Dify, an open source AI platform that acts as a kind of orchestration layer to help organizations create, deploy, and manage AI applications without needing to build out the infrastructure themselves. Dify is exceedingly popular; it has more than 10 million pulls of its API image on Docket, and Zafran identified tens of thousands of internet-facing Dify instances.
The set of vulnerabilities, referred to cumulatively as "DifyTap," includes tracing configuration flaw CVE-2026-41947 (CVSS 9.1); Plugin Daemon path traversal vulnerability CVE-2026-41948 (CVSS 9.4); unauthorized document preview bug CVE-2026-41949 (CVSS 6.5); and cross-file user access flaw CVE-2026-41950 (CVSS 6.5).
If exploited, these vulnerabilities would enable attackers to leak private AI chat histories, traverse Dify's internal Plugin Daemon API from unauthenticated requests, preview documents uploaded by other tenants without permission checks, and leak files across users within a tenant.
Related:FIFA Bug Exposes World Cup Streams to Remote Takeover
CVE-2026-41947, CVE-2026-41949, CVE-2026-41950 have been patched in Dify version 1.14.2. A fix for CVE-2026-41948 has been merged on GitHub, and customers can build and deploy the most recent version on GitHub, which addresses all four flaws at once. Zafran's blog post also notes that "For those currently operating on version 1.14.2, it is highly recommended to implement Web Application Firewall (WAF) rules specifically designed to mitigate CVE-2026-41948."
How Attackers Could Exploit DifyTap
The four vulnerabilities under the DifyTap umbrella are grouped together for the purposes of the blog post but they can exploited differently.
CVE-2026-41947 enables a tracing hijack and the wiretapping-like capabilities. In AI terms, tracing refers to the ability to profile and monitor AI applications, and this vulnerability would allow a threat actor to take advantage of that. An attacker would create a Dify account, find a public-facing application, obtain the application's internal App ID, call Dify's tracing configuration API, and then register their own tracing back end.
Through this, the attacker would effectively establish a "persistent exfiltration channel for all messages and responses sent in the application," researchers said. For a company using Dify for a customer-facing chat bot, this would seize data including (but not limited to) user prompts, model responses, and chat histories.
Related:Copilot 'SearchLeak' Attack Allows 1-Click Data Theft
CVE-2026-41948 deals with the Plugin Daemon, the service Dify uses for managing and running plug-ins. The vulnerability allows an attacker to access exposed parts of the internal Plugin Daemon they shouldn't be able to. While the immediate impact is limited, it represents an architectural flaw that could grow worse if another vulnerability comes around.
"The current impact is limited in scope, primarily allowing access to debug/pprof for performance data," the research read. "With this in mind, this is still a fundamental architectural flaw; any new or changed endpoint in the Plugin Daemon could become a high-severity vulnerability."
CVE-2026-41949 and CVE-2026-41950 both involve the Universally Unique Identifier (UUID) attached to documents, such as sensitive PDFs uploaded by a vulnerable company. If an attacker discovers a UUID in one way or another, CVE-2026-41949 allows the attacker to view document content from a preview endpoint with only the UUID, and CVE-2026-41950 allows the attacker to get an AI application to leak a file's content through leveraging the UUID in a prompt without further authorization.
What CISOs Can Take Away From DifyTap
A spokesperson for Zafran tells Dark Reading it is not aware of any real-world exploitation attempts targeting the vulnerabilities to date.
Related:Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories
The DifyTap flaws highlight the increased data security risks that come with AI applications due to how close they sit to the most sensitive parts of an enterprise. The spokesperson points out that "a simple authorization flaw can quickly become a cross-tenant data exposure issue," and organizations should assume there may be hidden exposure within their AI stack.
"CISOs should treat AI platforms as critical enterprise systems: maintain an inventory of deployed AI applications, ensure they are patched promptly, continuously monitor them, and perform the same level of security assessment they would apply to any internet-facing business-critical technology," the spokesperson says.
Dark Reading contacted Dify for comment.
About the Author
Alexander Culafi
Senior News Writer, Dark Reading
Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.
At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.
He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
APPLICATION SECURITY
Supply Chain Attack Secretly Installs OpenClaw for Cline Users
by Rob Wright
FEB 19, 2026
APPLICATION SECURITY
Chinese Hackers Hijack Notepad++ Updates for 6 Months
by Jai Vijayan, Contributing Writer
FEB 02, 2026
APPLICATION SECURITY
Trump Administration Rescinds Biden-Era Software Guidance
by Alexander Culafi
JAN 29, 2026
APPLICATION SECURITY
Microsoft Fixes Exploited Zero Day in Light Patch Tuesday
by Jai Vijayan, Contributing Writer
DEC 09, 2025
Editor's Choice
APPLICATION SECURITY
FIFA Bug Exposes World Cup Streams to Remote Takeover
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBERSECURITY OPERATIONS
EU Gets a Head Start in Developing 6G Network Security
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBER RISK
UK Social Media Ban for Minors Has Privacy Experts Worried
byRobert Lemos
JUN 17, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS