Dify AI Flaws Let Attackers Read Other Tenants' Private Chats
top of page
Search

Dify AI Flaws Let Attackers Read Other Tenants' Private Chats

  • 10 hours ago
  • 6 min read
Dify AI Flaws

By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: June 24, 2026 | Last updated: June 24, 2026

Researchers at Zafran Security disclosed four flaws in Dify, an open-source platform powering over a million AI apps, that let attackers read other customers' private AI conversations and documents across tenant boundaries. Two are critical and two need no login. The fix is version 1.14.2 — but the bigger question is who at your company approved Dify in the first place.

Most companies have no idea how many AI tools their teams are quietly using. Marketing spun up a chatbot. Support built a knowledge assistant. A product manager wired an internal workflow into a low-code platform over a weekend. Each one holds real company data, and most went live without anyone in a security role looking at them.

That gap is exactly why the DifyTap disclosure matters beyond Dify itself. On June 23, 2026, Zafran Security published four vulnerabilities in Dify that, in its multi-tenant cloud, let one customer reach into another customer's data. According to Zafran, three of the four carry cross-tenant impact, and two require no authentication at all.


What is DifyTap and what was exposed?


DifyTap is the name Zafran Security gave to a set of four vulnerabilities in Dify, an open-source LLMOps platform used to build chatbots, AI agents, and workflows. According to Zafran, the flaws let attackers read other tenants' AI conversations, preview documents uploaded by other customers, and reach internal APIs — on a platform that powers more than one million AI applications across over 60 industries.


Two of the four are rated critical. CVE-2026-41947 (CVSS 9.1) sits in Dify's tracing system, the component that logs prompts and model responses. Zafran found the tracing endpoints did not verify which tenant a request came from. In the researchers' words, an attacker can "create a persistent exfiltration channel for all messages and responses sent in the application."


The second critical flaw, CVE-2026-41948 (CVSS 9.4), is a path-traversal weakness in the Plugin Daemon — the service that runs Dify plugins — that an unauthenticated attacker can use to reach internal API endpoints. The remaining two, CVE-2026-41949 and CVE-2026-41950, involve file access: any registered console user could preview the first 3,000 characters of any document in the system, or attach another user's file to their own chat and ask the AI to read it back verbatim.

One detail in Zafran's report deserves more attention than it got. Dify's PDF parser ran a version of PDFium vulnerable to CVE-2024-5846, a use-after-free bug published in June 2024, for roughly 18 months — until December 21, 2025. A known, patchable flaw sat live in production for a year and a half because nobody was tracking the dependency.


Why does a flaw in someone else's AI tool become your problem?


Because the data inside that tool is yours, and so is the breach-notification obligation if it leaks. When a multi-tenant platform fails to keep one customer's data away from another, your prompts, your uploaded contracts, and your customers' information can sit one free account registration away from a stranger. Dify Cloud allows open self-registration, which is what made several of these flaws trivially reachable.


This is the part mainstream coverage underplays. The headline is a Dify bug. The actual exposure for most mid-market companies is that they cannot answer a simpler question: which AI tools are we using, what data did we feed them, and who signed off? A vulnerability disclosure is only actionable if you know you're affected. Most firms find out they were running the vulnerable tool only after someone external tells them.


Dify's customer list reportedly includes large enterprises such as Volvo, Maersk, and Panasonic, per Zafran's disclosure. Those companies have security teams who will triage this within a day. The 40-person professional services firm that built an internal assistant on Dify Cloud does not — and that asymmetry is the real story. The tools are equally easy for anyone to adopt; the ability to govern them is not.

This is where vCISO services and fractional CISO services earn their keep. A fractional CISO — a virtual Chief Information Security Officer engaged part-time — gives a smaller company the same governance function a large enterprise gets from a full-time security executive: an inventory of what AI tools are in use, a review gate before new ones go live, and a named person who triages a disclosure like DifyTap instead of nobody noticing it at all.


How did attackers get cross-tenant access?


Through missing authorization checks — the platform verified that a request was valid, but not that the requester owned the data it asked for. In CVE-2026-41947, Dify's tracing endpoints did not confirm the tenant making the request, so an attacker could redirect another application's messages to their own logging provider. According to Zafran, because Dify Cloud permits free self-registration, getting a working account to launch from took no effort.


The file flaws followed the same pattern. The document-preview endpoint checked that a file was a document, but not who owned it, so any console user could read content belonging to other tenants by supplying a file ID. The chat-message flaw validated the tenant ID but not file ownership, letting an attacker attach someone else's file to their own prompt. These are not exotic exploits. They are basic access-control gaps in a fast-moving AI product — the kind that appear when features ship faster than security review.


What should your business do?


Start by finding out whether you run Dify at all, then patch it, then close the governance gap that let it go unnoticed. Concrete steps:

  • Confirm whether any team uses Dify — cloud or self-hosted. Ask marketing, support, and product directly; shadow AI rarely shows up in an asset inventory.

  • If you self-host, upgrade to Dify 1.14.2 or later. Three of the four flaws are fixed there; a fix for CVE-2026-41948 has been merged on GitHub, and Zafran recommends interim WAF rules for it.

  • If you use Dify Cloud, treat any sensitive prompts or documents processed before the patch as potentially exposed, and rotate any credentials or keys that passed through it.

  • Pull an inventory of every AI tool your teams have adopted and what data each one touches. Most companies have never done this once.

  • Set one rule: no new AI tool handling company or customer data goes live without a named owner and a basic risk review. That single gate prevents most of this.


If you want a framework to hang this on rather than a one-off scramble, the NIST AI Risk Management Framework (AI RMF) maps cleanly onto exactly these questions — inventory, accountability, and third-party risk for AI systems.


Frequently asked questions


Was anyone's data actually stolen?

As of the June 2026 disclosure, Zafran reported the vulnerabilities and confirmed cross-tenant access was possible; it did not report confirmed mass exploitation in the wild. Zafran noted current real-world exploitation of the Plugin Daemon flaw was limited at disclosure. Treat "possible" as "assume exposure" for any sensitive data you ran through Dify Cloud before patching, because the tracing flaw enabled a silent, persistent exfiltration channel.


We self-host Dify instead of using the cloud. Are we affected?

Partly. The three cross-tenant issues are most dangerous on Dify's multi-tenant cloud, but the Plugin Daemon path-traversal flaw (CVE-2026-41948) and the long-running PDFium bug (CVE-2024-5846) affect self-hosted deployments too. Upgrade to 1.14.2 or later, deploy the recommended WAF rules for CVE-2026-41948 until its fix ships in a release, and apply Zafran's published Snort signatures if you run network detection.


How do we even know which AI tools our teams are using?

You ask, and you check what's leaving your network. Start with a direct survey of every department, then review SSO logs, expense reports, and outbound traffic for AI services nobody formally approved. This "shadow AI" discovery is usually the first thing a fractional CISO runs, because you cannot govern or patch a tool you don't know exists.


Is a fractional CISO worth it just for AI tool oversight?

For a company under a few hundred employees adopting AI faster than it can review, usually yes — AI oversight is rarely the only gap a fractional CISO closes. The same engagement that inventories your AI tools also handles vendor risk, compliance readiness, and incident response planning. If your only security "process" for new AI tools is hoping someone technical glances at them, a part-time CISO is far cheaper than the breach that gap eventually produces.

DifyTap will be patched and forgotten in a week. The pattern behind it — useful AI tools going live with no one accountable for the risk — will keep producing headlines all year. If you want a clear inventory of the AI your teams are using and a simple gate before the next one ships, that's the kind of work Purple Shield Security's vCISO and fractional CISO services are built to handle. A short conversation is usually enough to tell whether you have a real gap or just a few loose ends.


Sources


Security Affairs: DifyTap, Four Bugs Put over 1 million AI Apps at Risk — https://securityaffairs.com/194081/hacking/difytap-four-bugs-put-over-1-million-ai-apps-at-risk.html

 
 
bottom of page