Authentication Bypass in Dify Web by Langgenius
CVE-2025-11750

4.3MEDIUM

Key Information:

Vendor: Langgenius
Status: Langgenius/dify
Vendor: CVE Published:; 22 October 2025

What is CVE-2025-11750?

In Dify Web version 1.6.0, the authentication mechanism is flawed as it differentiates between error messages for non-existent and existing user accounts. When a user attempts to log in or register using an invalid username or email, the system displays a message indicating the account is not found. However, for accounts that exist but have an incorrect password, a different error message is generated. This inconsistency allows attackers to identify valid user accounts, creating opportunities for social engineering, brute force, or credential stuffing attacks.

Affected Version(s)

langgenius/dify <= unspecified

References

https://huntr.com/bounties/e7359f9f-c004-4304-9de9-753622...

CVSS V3.0

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2025
Vulnerability Reserved
Oct 14, 2025

JSON