9.3
CVE-2026-41947
- EPSS 0.45%
- Veröffentlicht 18.05.2026 13:48:03
- Zuletzt bearbeitet 22.06.2026 18:16:36
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints
Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to redirect all messages and responses from victim applications to attacker-controlled LLM trace providers. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.45% | 0.359 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| disclosure@vulncheck.com | 9.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| nvd@nist.gov | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| disclosure@vulncheck.com | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://huntr.com/bounties/a43076b2-fbc8-4750-9647-89a036b52f52
https://github.com/langgenius/dify/pull/35793
https://www.vulncheck.com/advisories/dify-authorization-bypass-via-trace-configuration-endpoints
https://github.com/langgenius/dify/commit/55d05fe52de880cd8497df8cea052351c594fad8
https://github.com/langgenius/dify/releases/tag/1.14.2
https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps