← All articles

DifyTap flaws let attackers read other tenants' AI chats on Dify

Zafran Security disclosed four vulnerabilities, collectively named DifyTap, in Dify, a popular open-source platform for building AI agents and workflows. Two are critical, two need no authentication, and three allow cross-tenant access on Dify's multi-tenant cloud, meaning one customer could quietly read another's private AI conversations and model responses, a covert exfiltration channel. The flaws include an authorization bypass that exposes any application's trace data (CVE-2026-41947), a path traversal into the internal Plugin Daemon API (CVE-2026-41948), and a file-preview authorization bypass (CVE-2026-41949). Most were fixed in Dify 1.14.2, but the path-traversal flaw remains unpatched pending the next release.

Check
Determine whether your organization uses Dify, self-hosted or on its cloud, identify the running version, and review whether AI conversations or application data could have been accessed across tenant or user boundaries.
Affected
Dify deployments before version 1.14.2 (CVE-2026-41947, CVE-2026-41949) and all versions for the still-unpatched path traversal (CVE-2026-41948); multi-tenant and cloud setups face cross-tenant AI-chat exposure.
Fix
Update Dify to 1.14.2 or later now, watch for the forthcoming fix for the path-traversal flaw, restrict access to Dify's internal Plugin Daemon, and avoid putting sensitive data in shared multi-tenant instances.