Authorization Bypass Vulnerability in Dify by LangGenius
CVE-2026-41950

6MEDIUM

Key Information:

Vendor: Langgenius
Status: Dify
Vendor: CVE Published:; 5 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-41950?

An authorization bypass vulnerability exists in Dify prior to version 1.14.0, enabling authenticated users to read files uploaded by other users within the same tenant. By supplying arbitrary file UUIDs in a chat-messages request, attackers can exploit inadequate permission checks in the chat-messages endpoints. This flaw facilitates unauthorized access to sensitive file contents, circumventing workspace separation and bypassing signed URL protections during workflow processing, posing significant risks to data privacy and security.

Affected Version(s)

dify 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-41950 - Proof of Concept

References

https://github.com/langgenius/dify/releases/tag/1.14.0

release-notespatch

https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8...

technical-descriptionexploit

https://www.vulncheck.com/advisories/dify-authorization-b...

third-party-advisory

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 5, 2026
👾
Exploit known to exist
May 5, 2026
Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 22, 2026

Credit

Ido Shani and Gal Zaban of Zafran Security

CVE-2026-41950 Data

JSON

Langgenius

Badges

What is CVE-2026-41950?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit