Authorization Flaw in Dify Open-Source LLM App Development Platform
CVE-2026-34082

5.3MEDIUM

Key Information:

Vendor: Langgenius
Status: Dify
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-34082?

The Dify platform, an open-source development environment for LLM applications, contains a significant vulnerability in its authorization mechanisms. Specifically, the API method DELETE /console/api/installed-apps/<appId>/conversations/<conversationId> did not enforce proper authorization checks prior to version 1.13.1. This oversight permitted any authenticated user of Dify to delete the chat history of other users, potentially leading to unwanted data loss and privacy breaches. The issue was resolved in version 1.13.1, which reinforces authorization checks to safeguard users’ data.

Affected Version(s)

dify < 1.13.1

References

https://github.com/langgenius/dify/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/langgenius/dify/releases/tag/1.13.1

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34082 Data

JSON

Langgenius

What is CVE-2026-34082?

Affected Version(s)

References

CVSS V4

Timeline