Dify flaws expose cross-tenant AI data, Zafran says

Dify flaws expose cross-tenant AI data risks, Zafran Security says, after disclosing four vulnerabilities in the open-source AI platform used to build applications, chatbots and workflows. Zafran reported that three issues could enable cross-tenant exposure in Dify’s cloud service, including the ability to read private AI conversations, preview documents uploaded by other tenants, attach another user’s file to a chat flow, and reach internal APIs through the plugin architecture. Two vulnerabilities were described as critical, and two could be exploited without authentication. One issue, CVE-2026-41947, concerned Dify tracing endpoints that didn’t validate tenant ownership, letting console users configure tracing for other-tenant applications using a target application ID. Another, CVE-2026-41948, involved the Plugin Daemon, where manipulated GET/POST paths allowed traversal to internal endpoints, including a login-free route accepting a tenant ID. Two file-handling flaws (CVE-2026-41949, CVE-2026-41950) affected document previews and message attachments. Patches for CVE-2026-41947, -41949 and -41950 are in Dify 1.14.2; a fix for CVE-2026-41948 is merged for the next release. Zafran also flagged a separate concern: PDFium vulnerable to CVE-2024-5846 remained in use for over 18 months, potentially enabling use-after-free if a malicious PDF is uploaded.