Authorization Bypass in Dify Product by Langgenius
CVE-2026-41947
Key Information:
- Vendor
Langgenius
- Status
- Vendor
- CVE Published:
- 18 May 2026
Badges
What is CVE-2026-41947?
CVE-2026-41947 is a critical vulnerability identified in the Dify product by Langgenius, an application designed for facilitating the integration and management of artificial intelligence (AI) applications. This vulnerability arises from an authorization bypass flaw existing in versions prior to 1.14.2 of the Dify platform. Attackers who have authenticated editor access can exploit this flaw to manipulate trace configurations for any application within the platform, bypassing tenant ownership restrictions. This means that an attacker can redirect messages and responses from victim applications to their own designated trace providers, posing serious risks to data confidentiality and integrity. The accessibility of Dify Cloud, which allows free self-registration for users, further amplifies the risk, as malicious actors can easily create accounts to exploit this vulnerability.
Potential impact of CVE-2026-41947
-
Data Breaches: The authorization bypass allows attackers to intercept and manipulate sensitive data exchanged between applications. This capability can lead to unauthorized access to personally identifiable information (PII) and other confidential data.
-
Multi-Tenant Compromise: Since Dify is a multi-tenant platform, exploiting this vulnerability gives an attacker the ability to access and impact other tenants, effectively compromising the entire cloud ecosystem that relies on Dify for application management.
-
Loss of Trust and Reputation: Organizations using Dify may face significant reputational damage if they are compromised through this vulnerability. The unauthorized capabilities could lead to public exposure of sensitive operations, resulting in loss of customer trust and potential financial ramifications.
Affected Version(s)
dify 0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
