Critical DifyTap Flaws Let Attackers Silently Wiretap AI Conversations on Dify’s 1M-App Platform

Four newly identified vulnerabilities in Dify, the open-source LLMOps platform powering over one million AI applications worldwide.

Collectively dubbed DifyTap, these flaws expose serious architectural weaknesses that can leak private AI conversations and sensitive documents across enterprise tenants, putting organizations like Volvo, Maersk, Panasonic, and Thermo Fisher at significant risk.

With over 140,000 GitHub stars, more than 10 million Docker pulls of its API image, and active deployments spanning 60-plus industries, Dify ranks among the most widely adopted AI infrastructure platforms globally.

Zafran’s investigation also identified tens of thousands of internet-facing Dify instances, amplifying the scale of potential exposure.

The four vulnerabilities collectively span tenant isolation failures, path traversal, and unauthorized file access:

• CVE-2026-41947 (CVSS 9.1): Tracing configuration endpoints fail to validate the requesting user’s tenant. An attacker with a free Dify cloud account can silently configure their own tracing provider on any publicly accessible application, creating a persistent exfiltration channel for all messages and model responses, with no special authentication required beyond basic signup.
• CVE-2026-41948 (CVSS 9.4): A path traversal flaw in the plugin icon endpoint allows unauthenticated traversal into Dify’s internal Plugin Daemon API. The filename query parameter is injected directly into an internal URL without sanitization, and a companion POST primitive similarly exploits the task deletion endpoint.
• CVE-2026-41949: Dify’s document preview endpoint (/console/files/<FILE_ID>/preview) performs no permission checks on the supplied UUID, allowing any console user, trivially obtained via free cloud registration, to read the first 3,000 characters of any document across all tenants.
• CVE-2026-41950: When a client sends a message with an attached file UUID, Dify validates only the Tenant ID rather than file ownership. An attacker can attach another user’s file UUID to their own message and instruct an LLM with file-reading capabilities to return the file’s contents verbatim.

Beyond these logic vulnerabilities, Zafran found that Dify’s file parsing pipeline had been running a version of pypdfium2 vulnerable to CVE-2024-5846 a use-after-free flaw in Chromium’s PDFium binary for over 18 months following its public disclosure in June 2024. This oversight further widens the attack surface for any threat actor targeting document-heavy enterprise deployments.

Dify has released version 1.14.2, which patches CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950. A fix for CVE-2026-41948 has been merged into the GitHub repository but has not yet been formally versioned. Organizations already running 1.14.2 are advised to deploy WAF rules using published Snort signatures to detect and block path traversal attempts via both GET and POST request patterns targeting the plugin icon and task deletion endpoints.

Zafran noted that traditional container scanners routinely miss application-level CVEs when images use complex build patterns. Dify’s approach of copying unpackaged Python code directly into its container is one such case.

To address this, Zafran introduced a new “shadow container image component enrichment” capability that infers the underlying application from a container image and maps it against project-level CVEs, surfacing risks previously invisible to conventional security tooling.

Organizations relying on Dify for enterprise AI workflows should prioritize upgrading to version 1.14.2 and implementing the recommended WAF rules while awaiting a formal fix for CVE-2026-41948.