CVE-2026-41949
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk35th percentile - higher than 35% of all known CVEs
Summary
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint to extract sensitive content from documents without ownership or workspace permission verification.
Risk Assessment
This vulnerability poses a significant risk to organizations as it allows unauthorized access to sensitive information in documents, potentially leading to data leaks. Additionally, the ease of account creation by unauthenticated users increases the risk of attacks.
Recommendation
It is recommended to update Dify to version 1.14.2 or later to mitigate this vulnerability. Consider implementing additional security measures, such as user identity verification before granting access to sensitive data.
Original NVD description (English source)
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

