CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 23, 2026

DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants – 1M+ Apps Impacted

Cybersecurity News Archived Jun 23, 2026 ✓ Full text saved

Multiple critical vulnerabilities in Dify could expose sensitive AI data across tenants and potentially impact more than one million applications. Dify, which powers AI workflows, chatbots, and retrieval-augmented generation (RAG) pipelines, is heavily adopted across enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher. With more than 140,000 GitHub stars and over 10 million Docker pulls, […] The post DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants – 1M+ Apps Impacte

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants – 1M+ Apps Impacted By Abinaya June 23, 2026 Multiple critical vulnerabilities in Dify could expose sensitive AI data across tenants and potentially impact more than one million applications. Dify, which powers AI workflows, chatbots, and retrieval-augmented generation (RAG) pipelines, is heavily adopted across enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher. With more than 140,000 GitHub stars and over 10 million Docker pulls, the platform has become a core component in production AI systems. Zafran identified tens of thousands of internet-facing Dify instances during its investigation, highlighting the potential scale of exposure. Critical Cross-Tenant Data Exposure The research uncovered four vulnerabilities, including two critical flaws, CVE-2026-41947 (CVSS 9.1) and CVE-2026-41948 (CVSS 9.4). Three of the four issues enable cross-tenant attacks in Dify’s multi-tenant cloud deployment, allowing attackers to access data belonging to other customers. One of the most severe issues is that attackers can configure tracing on victim applications without proper tenant validation. By abusing this flaw, an attacker can capture full chat histories, including prompts and model responses, effectively creating a persistent data exfiltration channel. Another critical vulnerability affects Dify’s Plugin Daemon service. Due to improper input handling, attackers can exploit path traversal flaws via crafted GET and POST requests to access internal APIs. Notably, these endpoints do not require authentication, thereby significantly increasing the risk of exploitation. The vulnerabilities also affect Dify’s file-handling mechanisms. Researchers found that attackers could: Preview documents uploaded by other tenants without authorization. Access sensitive files, including PDFs and images, using only file UUIDs. Attach existing file identifiers to new messages to trick AI models into revealing the contents of those files. These flaws stem from weak permission enforcement and indirect access control models, enabling both cross-tenant and intra-tenant data leakage. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. In addition to logic flaws, Dify was found to be using an outdated version of PDFium, which is vulnerable to CVE-2024-5846, a use-after-free bug. The vulnerable component remained in production for over 18 months after disclosure, allowing attackers to potentially exploit the issue by uploading malicious PDF files. This highlights a broader issue in AI platforms that process untrusted file formats without adequate sandboxing or dependency management. Dify has released version 1.14.2, which addresses CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950. A fix for CVE-2026-41948 has been merged and is expected in an upcoming release. Security teams should immediately upgrade to the latest Dify version, deploy WAF rules to block path traversal attacks, monitor plugin and file-related endpoints for suspicious activity, and limit public exposure of Dify instances whenever possible. The findings are part of Zafran’s “Project DarkSide,” which focuses on uncovering systemic weaknesses in AI infrastructure. Similar to prior research on the Chainlit framework, this disclosure highlights how modern AI systems, often built on microservices and containerized environments, introduce new attack surfaces that traditional security tools fail to detect. To address this gap, Zafran introduced a technique called “shadow container image component enrichment,” which improves visibility into application-level vulnerabilities hidden within container images. An example scenario demonstrates the risk: an attacker signs up for a free Dify cloud account, identifies a public AI application, extracts its internal App ID, and silently enables tracing, gaining continuous access to all user interactions without detection. As AI adoption accelerates, these vulnerabilities underscore the urgent need for stronger isolation, secure architecture design, and improved visibility across AI supply chains. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Klue Hack Leads to Data Breach Across Multiple Cybersecurity Companies HazyBeacon Weaponizes AWS Lambda Function URLs for Stealth Command-and-Control Relays Multiple JetBrains IDE Plugins 70,000+ Installs Caught Stealing AI keys pgAdmin 4 Released With Fixes for Seven Security Vulnerabilities and New Features Microsoft’s New Option Allows Organizations to Block Copilot Access to Office Files Latest News Cyber Security News LastPass Customer Data Exposed in Klue Supply Chain Attack Cyber Security News Five-Eye Agencies Call for “Whole-of-Organization and Whole-of-Society Response” to Stop Cyber Threats Cyber Security News Nearly Half of Apps Across LG and Samsung TV’S are Selling Your IP Address Cyber Security News Hackers Use Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH for Persistence Cyber Security News FlutterShell macOS Backdoor Abuses Flutter Framework and WKWebView for Stealthy Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 23, 2026
    Archived
    Jun 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗