MediumPublic exploit

Authorization Bypass in Dify chat-messages File Attachment Handling

IdentifiersCVE-2026-41950CWE-639· Authorization Bypass Through…

CVE-2026-41950 is an authorization bypass vulnerability in Dify affecting versions before 1.14.0. The flaw exists in the chat-messages request handling for file attachments: an authenticated user can supply an arbitrary file UUID in the files array of a chat-messages request, and Dify fails to properly verify that the referenced file belongs to the requesting user before making it available to workflow or chatbot processing. As described in the provided content, the issue stems from insufficient permission verification and missing ownership validation on file identifiers, allowing a user to attach another user’s uploaded file within the same tenant and induce a file-capable chatbot or workflow to read back the file contents. This bypasses intended workspace separation and signed-URL style protections, resulting in unauthorized disclosure of the full contents of uploaded files.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker to obtain the full contents of files uploaded by other users in the same tenant. The impact is unauthorized information disclosure of sensitive uploaded data, including documents and other file types that can be processed by Dify workflows or file-capable chatbots. Because the flaw abuses backend workflow processing rather than direct file ownership checks, it undermines workspace separation and access controls within a shared tenant environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to chat-messages functionality to trusted users, reduce exposure of file-capable chatbot/workflow features, and closely monitor for anomalous use of file UUIDs in chat-messages requests. Review tenant sharing models, minimize sensitive file uploads in shared-tenant deployments, and add detection for attempts to reference files not owned by the requesting user. Compensating controls should focus on preventing or alerting on cross-user file UUID reuse until a fixed version is deployed.

Remediation

Patch, then assume compromise.

Upgrade Dify to a fixed release. The provided content states the issue affects versions before 1.14.0, and separate reporting indicates Dify released fixes in the 1.14.x line, including version 1.14.2. At minimum, deploy a vendor-fixed version that includes the authorization check corrections for CVE-2026-41950 and verify that chat-messages endpoints enforce file ownership and tenant/workspace authorization on every referenced file UUID.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LanggeniusDifyapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

scworldNews

Jun 23, 2026

4 vulnerabilities in Dify expose cross-tenant data | brief | SC Media

A Dify vulnerability that enables chatbots to read attached user files, contributing to cross-tenant data exposure risk.

security affairsNews

Jun 23, 2026

DifyTap: Four Bugs Put over 1 million AI Apps at Risk - Security Affairs

A Dify file access vulnerability that allows a client to reference another user’s file UUID in chat interactions and have a file-capable chatbot disclose the file contents.

security weekNews

Jun 23, 2026

Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps - SecurityWeek

A high-severity Dify file access control vulnerability related to file identification and permissions that allows retrieval of files uploaded by other users within the same tenant.

cyber security newsNews

Jun 23, 2026

DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants - 1M+ Apps Impacted

A Dify vulnerability fixed in version 1.14.2; specific technical details are not provided in the content.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-41950

NVD

nvd.nist.gov/vuln/detail/CVE-2026-41950

MITRE CWE · CWE-639

Authorization Bypass Through User-Controlled Key

Third Party Advisory

huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d

Third Party Advisory

vulncheck.com/advisories/dify-authorization-bypass-via-file-uuid

Release Notes

github.com/langgenius/dify/releases/tag/1.14.0