Access Control Vulnerability in Dify Open-Source LLM App Development Platform

CVE-2025-32795

Summary

Dify, a popular open-source LLM app development platform, contained a critical access control vulnerability prior to version 0.6.12. Regular users could improperly gain permissions to edit application names, descriptions, and icons, despite being restricted from viewing certain apps. This flaw jeopardized the integrity of the application, allowing unauthorized modifications to app details. To mitigate the risk, it is recommended to implement stricter access control measures, such as role-based access controls (RBAC), to ensure that only users with the appropriate administrative privileges can alter app information. A patch has been introduced in version 0.6.12 to address this issue.

References