DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants – 1M+ Apps Impacted
Cybersecurity NewsArchived Jun 23, 2026✓ Full text saved
Multiple critical vulnerabilities in Dify could expose sensitive AI data across tenants and potentially impact more than one million applications. Dify, which powers AI workflows, chatbots, and retrieval-augmented generation (RAG) pipelines, is heavily adopted across enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher. With more than 140,000 GitHub stars and over 10 million Docker pulls, […] The post DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants – 1M+ Apps Impacte
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants – 1M+ Apps Impacted
By Abinaya
June 23, 2026
Multiple critical vulnerabilities in Dify could expose sensitive AI data across tenants and potentially impact more than one million applications.
Dify, which powers AI workflows, chatbots, and retrieval-augmented generation (RAG) pipelines, is heavily adopted across enterprises including Volvo, Maersk, Panasonic, and Thermo Fisher.
With more than 140,000 GitHub stars and over 10 million Docker pulls, the platform has become a core component in production AI systems.
Zafran identified tens of thousands of internet-facing Dify instances during its investigation, highlighting the potential scale of exposure.
Critical Cross-Tenant Data Exposure
The research uncovered four vulnerabilities, including two critical flaws, CVE-2026-41947 (CVSS 9.1) and CVE-2026-41948 (CVSS 9.4).
Three of the four issues enable cross-tenant attacks in Dify’s multi-tenant cloud deployment, allowing attackers to access data belonging to other customers.
One of the most severe issues is that attackers can configure tracing on victim applications without proper tenant validation.
By abusing this flaw, an attacker can capture full chat histories, including prompts and model responses, effectively creating a persistent data exfiltration channel.
Another critical vulnerability affects Dify’s Plugin Daemon service. Due to improper input handling, attackers can exploit path traversal flaws via crafted GET and POST requests to access internal APIs.
Notably, these endpoints do not require authentication, thereby significantly increasing the risk of exploitation. The vulnerabilities also affect Dify’s file-handling mechanisms. Researchers found that attackers could:
Preview documents uploaded by other tenants without authorization.
Access sensitive files, including PDFs and images, using only file UUIDs.
Attach existing file identifiers to new messages to trick AI models into revealing the contents of those files.
These flaws stem from weak permission enforcement and indirect access control models, enabling both cross-tenant and intra-tenant data leakage.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
In addition to logic flaws, Dify was found to be using an outdated version of PDFium, which is vulnerable to CVE-2024-5846, a use-after-free bug.
The vulnerable component remained in production for over 18 months after disclosure, allowing attackers to potentially exploit the issue by uploading malicious PDF files.
This highlights a broader issue in AI platforms that process untrusted file formats without adequate sandboxing or dependency management.
Dify has released version 1.14.2, which addresses CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950. A fix for CVE-2026-41948 has been merged and is expected in an upcoming release.
Security teams should immediately upgrade to the latest Dify version, deploy WAF rules to block path traversal attacks, monitor plugin and file-related endpoints for suspicious activity, and limit public exposure of Dify instances whenever possible.
The findings are part of Zafran’s “Project DarkSide,” which focuses on uncovering systemic weaknesses in AI infrastructure.
Similar to prior research on the Chainlit framework, this disclosure highlights how modern AI systems, often built on microservices and containerized environments, introduce new attack surfaces that traditional security tools fail to detect.
To address this gap, Zafran introduced a technique called “shadow container image component enrichment,” which improves visibility into application-level vulnerabilities hidden within container images.
An example scenario demonstrates the risk: an attacker signs up for a free Dify cloud account, identifies a public AI application, extracts its internal App ID, and silently enables tracing, gaining continuous access to all user interactions without detection.
As AI adoption accelerates, these vulnerabilities underscore the urgent need for stronger isolation, secure architecture design, and improved visibility across AI supply chains.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Klue Hack Leads to Data Breach Across Multiple Cybersecurity Companies
HazyBeacon Weaponizes AWS Lambda Function URLs for Stealth Command-and-Control Relays
Multiple JetBrains IDE Plugins 70,000+ Installs Caught Stealing AI keys
pgAdmin 4 Released With Fixes for Seven Security Vulnerabilities and New Features
Microsoft’s New Option Allows Organizations to Block Copilot Access to Office Files
Latest News
Cyber Security News
LastPass Customer Data Exposed in Klue Supply Chain Attack
Cyber Security News
Five-Eye Agencies Call for “Whole-of-Organization and Whole-of-Society Response” to Stop Cyber Threats
Cyber Security News
Nearly Half of Apps Across LG and Samsung TV’S are Selling Your IP Address
Cyber Security News
Hackers Use Velociraptor, Cloudflare Tunnels, Zoho Assist, and VS Code SSH for Persistence
Cyber Security News
FlutterShell macOS Backdoor Abuses Flutter Framework and WKWebView for Stealthy Attacks