Overview
- Zafran Security disclosed the set of flaws dubbed DifyTap in late June 2026, describing four high‑severity bugs that let attackers siphon AI chat messages and access uploaded files across tenants by abusing tracing, plugin and file‑preview endpoints.
- Dify issued version 1.14.2 in May 2026 that fixes three tracked CVEs (CVE‑2026‑41947, CVE‑2026‑41949, CVE‑2026‑41950) while CVE‑2026‑41948, a high‑scoring plugin daemon path‑traversal issue, remains unpatched with a promised fix in the next release.
- Researchers warn the tracing feature can be abused to create a persistent exfiltration channel that captures all messages and model responses whenever tenant validation is missing.
- Zafran also found Dify’s preview pipeline used a vulnerable PDFium binary until December 21, 2025, creating an additional historical remote‑execution risk and exposing gaps in container and supply‑chain visibility.
- Operators are urged to upgrade to 1.14.2, implement Web Application Firewall rules to mitigate the pending CVE, and harden tenant‑ownership checks and file‑access controls to prevent cross‑tenant data leaks.