Published
- 4 min read
By Allan D - Editor, AI Security Wire
DifyTap: Four Flaws Let Attackers Wiretap AI Chats Across Tenants
Zafran Security disclosed four authorization vulnerabilities in Dify this week, collectively named DifyTap. The flaws affect an AI platform that powers over one million deployed applications, including deployments at Volvo, Maersk, Panasonic, and Thermo Fisher. Two of the four CVEs carry critical CVSS scores. Three have cross-tenant impact, meaning an attacker targeting one customer’s application can reach data belonging to a completely separate customer.
The central finding is uncomfortable for anyone running AI agents in a shared platform: tenant isolation in Dify’s cloud was failing at several authorization boundaries, and the most exploitable path required nothing more than a free account.
What Dify Is and Why It Matters
Dify is an open-source low-code platform for building AI applications and agentic workflows, with around 146,000 GitHub stars and more than a million apps built on top of it. Enterprises use it to build customer-facing chatbots, internal document Q&A agents, RAG pipelines, and multi-step AI workflows. The conversations those agents handle often include sensitive business data: customer PII, internal documents, financial queries, legal information.
That context makes cross-tenant exfiltration a serious data protection issue, not just a technical finding.
The Four CVEs
CVE-2026-41947 (CVSS 9.1): Dify’s tracing configuration endpoints do not validate whether the requesting user’s tenant matches the target application. Tracing is a legitimate feature that routes application telemetry to an observability provider. An attacker with a free Dify cloud account can configure their own tracing provider on any publicly accessible application. From that point, every message sent to the target app, along with every model response, is silently copied to the attacker’s endpoint. No interaction from the victim is needed beyond normal use of the application.
CVE-2026-41948 (CVSS 9.4): A path traversal flaw in Dify’s Plugin Daemon service allows crafted GET and POST requests to access internal, private API endpoints that are not intended to be reachable from the external API. This could be used to trigger cross-tenant internal API calls or access plugin functionality without proper authorization. The fix has been merged to GitHub but is not yet in a released version.
CVE-2026-41949: An attacker can preview documents uploaded by other tenants by supplying an arbitrary file UUID to the preview endpoint. There is no check that the requesting user belongs to the same tenant as the file owner.
CVE-2026-41950 (CVSS 6.5): Similar in mechanics, this flaw allows authenticated users to read the full contents of files uploaded by other users within the same tenant by attaching an arbitrary file UUID to a chat-messages request.
The Broader Problem This Illustrates
DifyTap is not unique to Dify. It is representative of a class of authorization failure that appears repeatedly in multi-tenant AI platforms: the platform validates authentication (is this a valid user?) but skips or insufficiently implements authorization (does this user own this resource?).
AI platforms handle this problem in an environment where the data is unusually sensitive. Chat histories may contain the equivalent of privileged business communications. Document stores may hold internal strategy, contracts, or customer records. When those fail to be tenant-isolated, the impact of a cross-tenant flaw is significantly higher than the same bug in a project management tool.
Zafran notes that enterprises including major manufacturers and logistics companies were among the exposed user base. The tracing bypass in particular is a quiet exfiltration path: there are no error messages, no anomalous API responses, and nothing visible to the affected application’s users or operators.
Patch Status and Defensive Steps
Dify released version 1.14.2 addressing CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950. CVE-2026-41948 remains unpatched in a release; a fix has been committed to the repository.
Steps to take now:
- Update all Dify deployments to 1.14.2
- Review tracing configurations across all applications in your workspace. Any unexpected tracing provider should be treated as a potential exfiltration channel and removed immediately
- Set applications to private rather than public unless public access is a deliberate product requirement
- Monitor Dify’s GitHub releases for the CVE-2026-41948 patch and apply it promptly
- Audit recent chat history access logs for anomalies if you operate a high-sensitivity deployment
References
- Zafran Security — DifyTap: Zafran discovers how attackers can silently wiretap AI data across tenants
- The Hacker News — Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants
- SecurityWeek — Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps
- Dark Reading — DifyTap Bugs Let Attackers ‘Wiretap’ AI Chat Histories
- Security Affairs — DifyTap: Four Bugs Put over 1 million AI Apps at Risk
Frequently Asked Questions
- What is DifyTap and which platforms does it affect?
- DifyTap is the collective name for four authorization vulnerabilities discovered by Zafran Security in Dify, the open-source AI application platform. The flaws affect both Dify's cloud-hosted service and self-hosted deployments. They allow attackers to read AI chat histories from other customers' applications, access files across tenant boundaries, and call internal plugin APIs without authorisation.
- Does an attacker need a paid account or admin access to exploit these?
- No. The most severe flaw, CVE-2026-41947 (CVSS 9.1), requires only a free Dify cloud account. An attacker can sign up for free, configure their own tracing provider on any publicly accessible application, and silently receive every message and model response from that app. The path traversal vulnerability CVE-2026-41948 similarly requires no elevated privileges — just a valid account and a crafted request.
- Have these vulnerabilities been patched and what should I do now?
- Three of the four CVEs, including the critical tracing bypass (CVE-2026-41947) and the file exposure flaws (CVE-2026-41949, CVE-2026-41950), are patched in Dify version 1.14.2. CVE-2026-41948, the Plugin Daemon path traversal, has a fix merged to GitHub but is not yet in a tagged release. Update to 1.14.2 now, audit tracing configurations for unexpected providers, and watch for the CVE-2026-41948 patch in the next release.