DifyTap Vulnerabilities Could Expose AI Chats and Files Across Dify Tenants

Security researchers have disclosed four vulnerabilities in Dify that could allow attackers to read private AI conversations, preview uploaded files, and reach internal platform APIs across tenant boundaries.

The flaws were collectively named DifyTap by Zafran Security. The company said two of the bugs were critical, two required no authentication in some attack paths, and three carried cross-tenant impact in Dify’s multi-tenant cloud service.

Dify is a widely used open-source platform for building AI applications, chatbots, workflows, RAG pipelines, and agentic tools. Its GitHub repository shows more than 146,000 stars, which makes the findings important for both cloud users and self-hosted deployments.

DifyTap Targets Tenant Isolation in AI Apps

The central issue is weak tenant isolation. In a multi-tenant AI platform, one customer’s applications, documents, traces, and chat messages should stay separated from every other customer’s data.

Zafran said the flaws could allow an attacker to create a persistent exfiltration channel for chat messages and model responses from victim applications. The most severe issue, CVE-2026-41947, involves missing tenant ownership checks in trace configuration endpoints.

Tracing is normally used for monitoring AI applications, measuring performance, and debugging model behavior. In this case, the flaw could let an attacker redirect application messages and AI responses to an attacker-controlled tracing provider.

CVE	Issue	Main impact	Fixed version status
CVE-2026-41947	Trace configuration authorization bypass	Could redirect AI messages and responses to an attacker-controlled trace provider	Fixed in Dify 1.14.2
CVE-2026-41948	Plugin Daemon path traversal	Could reach internal Plugin Daemon API endpoints	Fix merged, pending release according to Zafran
CVE-2026-41949	File preview authorization bypass	Could preview up to 3,000 characters from uploaded documents across tenants	Fixed in Dify 1.14.2
CVE-2026-41950	File UUID authorization bypass	Could leak full file contents from other users within the same tenant	Fixed before Dify 1.14.0

Trace Configuration Bug Could Leak AI Conversations

The trace configuration flaw stands out because it could expose complete AI conversations. The NVD entry says attackers could exploit missing tenant ownership checks to redirect messages and responses from victim applications to attacker-controlled LLM trace providers.

This matters because AI traces can contain raw prompts, model outputs, customer questions, uploaded context, internal support data, and sensitive business logic. In many deployments, trace logs may contain the exact information users assume stays inside the application.

Zafran said the attack was especially concerning for publicly accessible apps because anyone could register for a Dify Cloud account and then interact with an exposed victim application as a client.

Plugin Daemon Path Traversal Adds Internal API Risk

The second critical issue, CVE-2026-41948, involves insufficient URL path sanitization in requests forwarded to Dify’s Plugin Daemon internal REST API.

The Plugin Daemon manages Dify’s plugin system, including tools, model provider integrations, and workflow extensions. If attackers can manipulate forwarded paths, they may be able to reach internal endpoints that normal users should not access.

Zafran said the current impact was limited by which internal endpoints could actually be reached, but described the issue as an architectural flaw. Any new or changed Plugin Daemon endpoint could increase the severity of the same path traversal pattern.

• Attackers could manipulate forwarded Plugin Daemon paths.
• The issue could cross tenant boundaries in shared deployments.
• Some request paths required no login in the reported attack flow.
• Zafran recommends WAF rules for deployments still exposed to this issue.

File Preview and File UUID Bugs Exposed Documents

Dify also had two file-handling authorization issues. CVE-2026-41949 affected the file preview endpoint and allowed any authenticated user to read up to 3,000 characters from uploaded documents across tenants and workspaces if they had the file UUID.

A separate issue, CVE-2026-41950, allowed authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying another file UUID in a chat-messages request.

These flaws show why file UUIDs should not act as permission checks. Even when signed links and temporary access tokens exist, the application still needs to confirm that the user, tenant, workspace, and file all match.

File issue	What attackers needed	What they could access
File preview flaw	A Dify console account and a file UUID	Up to 3,000 characters from another tenant’s uploaded document
File UUID flaw	A valid account inside the same tenant and another user’s file UUID	Full file contents through the chat workflow

PDF Parsing Also Expanded the Attack Surface

Zafran also found that Dify’s file parsing stack used a PDFium-based dependency path that remained exposed to CVE-2024-5846, a PDFium use-after-free vulnerability disclosed in 2024.

The risk came from Dify’s ability to parse many file types for previews, knowledge bases, and document workflows. When AI platforms accept untrusted PDFs, office files, images, and other uploads, file parsing becomes part of the security boundary.

The PDFium vulnerability had a CVSS 3.1 score of 8.8 in NVD and could allow heap corruption through a crafted PDF file. Zafran said the broader lesson is that document parsing components need fast updates and sandboxing.

Dify 1.14.2 Includes Key Security Fixes

Dify released version 1.14.2 on May 19, 2026. The release notes describe it as a patch release focused on security hardening, workflow reliability, knowledge reliability, observability fixes, and deployment tuning.

The same Dify release specifically mentions stronger tenant isolation for app trace-config endpoints and FilePreview text extraction. Those changes map to the high-risk trace and file preview flaws.

However, administrators should not assume one upgrade note covers every exposure path. Zafran said a fix for the Plugin Daemon path traversal issue had been merged and would be available in the next Dify release, while the file UUID issue was fixed earlier in the 1.14.0 line.

Self-Hosted Dify Users Should Patch and Review Exposure

Self-hosted Dify users should update as soon as possible and review whether their deployments expose Dify services to the internet. Teams should also confirm which version runs in each container, not just which source repository or tag they believe they deployed.

The Dify project supports local deployment, plugin-based workflows, model integrations, and document processing. Those features make it useful, but they also create many places where tenant checks and file permissions need to work consistently.

For cloud and multi-tenant environments, the priority is stricter isolation around tracing, plugin routing, file preview, and uploaded documents. For internal deployments, teams should still treat these flaws seriously because one user or workspace may be able to access another user’s files or application data.

• Upgrade Dify to a fixed release and watch for the next release covering CVE-2026-41948.
• Restrict access to Dify console and administrative endpoints.
• Review trace provider settings for unexpected destinations.
• Check logs for suspicious file preview requests and unusual file UUID access.
• Limit public access to self-hosted Dify instances where possible.
• Apply WAF rules for Plugin Daemon path traversal patterns until patched.
• Sandbox document parsing components that process untrusted uploads.

Why DifyTap Matters for AI Security

DifyTap highlights a larger problem in AI application platforms. These tools combine chat interfaces, user uploads, plugins, workflows, model calls, tracing, RAG pipelines, and multi-tenant hosting. A single missing ownership check can expose far more than a normal web form.

The Plugin Daemon path traversal flaw shows how internal AI platform services can become attack paths when URL routing and tenant boundaries do not hold.

The file preview bug and file UUID bug also show that document workflows need direct authorization checks, not indirect trust in temporary links or identifiers.

Zafran’s DifyTap research also points to visibility gaps in container scanning. Some scanners may detect operating system packages and libraries, but miss project-level application vulnerabilities inside complex AI platform images.

FAQ