CVE Catalog

CVE-2026-41950

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile - higher than 25% of all known CVEs

Summary

Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant. By supplying an arbitrary file UUID in the files array of a chat-messages request, attackers can exploit insufficient permission verification.

Risk Assessment

This vulnerability may lead to unauthorized access to sensitive data, posing a serious threat to privacy and information security within the organization.

Recommendation

It is recommended to update Dify to version 1.14.0 or later to mitigate this vulnerability and implement additional permission verification mechanisms.

Original NVD description (English source)

Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS