Critical “DifyTap” Vulnerabilities Uncovered in Leading LLMOps Platform

A significant security research effort has exposed a series of critical vulnerabilities within Dify, a prominent open-source LLMOps (Large Language Model Operations) platform. Powering over one million AI applications, Dify has become a cornerstone for enterprise-grade AI development, utilized by industry giants such as Volvo, Maersk, and Panasonic. However, a collection of flaws dubbed “DifyTap” has revealed deep-seated architectural weaknesses that threaten the integrity of multi-tenant environments.

The DifyTap research, spearheaded by Zafran, identifies four distinct vulnerabilities. Two are classified as critical, while two others allow for unauthenticated access. Collectively, these flaws facilitate cross-tenant data leakage, enabling unauthorized actors to intercept private AI conversations, preview sensitive documents, and interact directly with internal APIs.

Deep Dive: The Mechanics of DifyTap

While Dify’s architecture is designed to facilitate low-code development through integrated plugins and Retrieval-Augmented Generation (RAG) pipelines, the research suggests that the platform’s trust boundaries and tenant isolation logic are fundamentally flawed.

1. Persistent Data Exfiltration via Tracing (CVE-2026-41947)

The most alarming vulnerability, tracked as CVE-2026-41947 (CVSS 9.1), exploits Dify’s telemetry and tracing functionality. This feature is intended to allow developers to monitor application performance by sending data to external tracing providers. However, the tracing endpoints fail to implement rigorous tenant-ownership validation.

An attacker can simply identify an application ID from a public-facing app and configure a malicious tracing endpoint. Because the system does not verify if the requester owns the application, it creates a “silent wiretap.” This allows the attacker to maintain a persistent channel to capture all future prompts and model responses, effectively intercepting sensitive intellectual property and user data without detection.

2. Unauthenticated API Interaction via Plugin Daemon (CVE-2026-41948)

The second critical flaw, CVE-2026-41948 (CVSS 9.4), targets the Plugin Daemon service. This component is responsible for executing various plugins, but it suffers from improper input sanitization. By utilizing path traversal techniques on parameters like filenames, an attacker can bypass intended restrictions to reach arbitrary internal endpoints.

Crucially, many of these internal endpoints lack an authentication layer. While current exploitation focuses on sensitive interfaces like debug profiling, the presence of such an architectural hole means that any future internal service added to the daemon could be immediately exposed to unauthenticated remote attackers.

3. Broken File Access Controls (CVE-2026-41949 & CVE-2026-41950)

Dify’s file-handling mechanisms also exhibit significant weaknesses. Researchers discovered that access to uploaded files relies on indirect message-level permissions rather than strict object-level authorization. By leveraging direct UUID references, attackers can bypass these controls to preview documents belonging to other tenants. In a more sophisticated attack vector, an actor can attach a stolen file UUID to a chatbot session, effectively “prompting” the model to leak the contents of the unauthorized file.

Legacy Vulnerabilities and Remediation

Beyond the immediate DifyTap findings, Zafran noted that Dify was exposed to CVE-2024-5846—a use-after-free vulnerability in the PDFium library—for over 18 months. This vulnerability could allow for remote code execution (RCE) via malicious PDF uploads during the file preview process.

Mitigation Strategy:

• Immediate Update: All Dify users should update to version 1.14.2 or higher immediately.
• Defensive Controls: Implement Web Application Firewall (WAF) rules specifically designed to detect and block path traversal attempts.
• Intrusion Detection: Utilize the Snort signatures released by Zafran to monitor for malicious activity targeting the Plugin Daemon.

These findings serve as a vital reminder that in microservices-heavy AI architectures, traditional container scanning is often insufficient. Security must extend into the application layer to ensure that tenant isolation is enforced not just at the network level, but within the logic of the AI workflows themselves.