Access Control Flaw in Dify Platform by Langgenius
CVE-2025-32796

6.5MEDIUM

Key Information:

Vendor: Langgenius
Status: Dify
Vendor: CVE Published:; 18 April 2025

What is CVE-2025-32796?

Dify, an open-source LLM app development platform, was found to have an access control issue that allows normal users to enable or disable applications through its API, despite the web UI effectively restricting this capability. This flaw poses a risk as it permits unauthorized alterations to application states, potentially leading to disruptions in functionality. Version 0.6.12 of Dify resolves this issue by strengthening API access control mechanisms and implementing strict role-based access controls (RBAC) to ensure that only users with administrative rights can interact with app status changes.

References

https://github.com/langgenius/dify/pull/5266

https://github.com/langgenius/dify/security/advisories/GH...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2025