Privilege Escalation in Langgenius Dify Chatbot Framework
CVE-2024-11821

4.3MEDIUM

Key Information:

Vendor: Langgenius
Status: Langgenius/dify
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-11821?

A privilege escalation vulnerability in Langgenius Dify version 0.9.1 enables unauthorized users to modify chatbot configurations. This issue occurs due to inadequate enforcement of access controls at the endpoint /console/api/apps/{chatbot-id}/model-config, permitting typical users to override settings intended solely for admin users. Such a flaw can lead to severe changes in chatbot behavior, affecting operational integrity and user trust.

Affected Version(s)

langgenius/dify <= unspecified

References

https://huntr.com/bounties/76d5986d-3882-4ea7-81cb-f00400...

CVSS V3.0

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Nov 26, 2024