Cybersecurity researchers at Zafran Security have unveiled DifyTap, a collection of four critical vulnerabilities within Dify, an open-source agentic workflow platform. These flaws, two of which were critical and three had cross-tenant impact, allowed attackers to clandestinely read AI conversations and data from other customers' applications without authentication. This created a covert channel for exfiltrating AI messages and model responses, posing significant privacy risks.
The DifyTap vulnerabilities included authorization bypasses, a path traversal flaw, and issues enabling unauthorized preview and leakage of files across tenants and within a tenant using file UUIDs. Additionally, Dify's file parsing stack relied on a vulnerable version of PDFium (CVE-2024-5846), susceptible to heap corruption via crafted PDF files. Attackers could also exploit missing tenant ownership checks to redirect all application messages and responses to an attacker-controlled LLM trace provider, creating a persistent exfiltration channel.
Following responsible disclosure, Dify has addressed most of these vulnerabilities in version 1.14.2, with a fix for CVE-2026-41948 pending in the next release. This discovery highlights the challenges in vulnerability visibility within container images and the critical need for robust security in multi-tenant AI platforms.
Top comments (0)