Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Path Traversal in Dify Plugin Daemon Internal REST API

IdentifiersCVE-2026-41948CWE-22

CVE-2026-41948 is a path traversal vulnerability affecting Dify version 1.14.1 and earlier in the Plugin Daemon component, which manages and runs Dify plugins. The flaw is caused by insufficient URL path sanitization when requests are forwarded to the Plugin Daemon's internal REST API. According to the provided content, attackers can abuse two request primitives supporting GET and POST operations by supplying unencoded dot-segment traversal sequences in task identifiers or manipulated filename parameters. This allows traversal outside the attacker's authorized tenant path and access to internal, otherwise private Plugin Daemon endpoints, including debug interfaces such as performance profiling endpoints. The issue has also been described as enabling arbitrary internal API endpoint access and cross-tenant effects where knowledge of a victim tenant UUID is sufficient. Some provided reporting states the vulnerable Plugin Daemon endpoints do not require authentication, while other provided content describes exploitation by authenticated users; based on the supplied material, the authentication requirement is inconsistent.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to escape intended tenant path restrictions and reach internal Plugin Daemon REST API endpoints that should not be accessible. Reported impacts include unauthorized access to internal/private endpoints, access to debug or pprof performance data, fetching other tenants' plugin icons, and the ability to affect other tenants' environments through cross-tenant internal API calls. Because the flaw exposes arbitrary internal API reachability via GET and POST primitives, the practical impact may expand as additional Plugin Daemon endpoints are exposed, making this an architectural risk beyond the immediately observed data exposure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, implement WAF rules specifically designed to block traversal attempts targeting Plugin Daemon request paths, including unencoded dot-segment sequences and suspicious manipulated filename/task identifier values. Restrict exposure of Plugin Daemon-related interfaces through network segmentation, reverse-proxy filtering, and strict access controls. Limit Dify instance access to trusted users, disable or tightly control self-registration where operationally feasible, and monitor logs for anomalous GET/POST requests to Plugin Daemon paths, traversal patterns, access to debug/pprof endpoints, and requests referencing unexpected tenant UUIDs.

Remediation

Patch, then assume compromise.

Upgrade Dify from version 1.14.1 and earlier to a vendor-fixed release containing the CVE-2026-41948 patch. The provided content states Dify 1.14.2 patched other DifyTap issues, while a fix for CVE-2026-41948 had been merged and was expected in a subsequent release; users should therefore deploy the most recent vendor release or current patched GitHub build that includes the fix. Validate that the Plugin Daemon request forwarding logic properly normalizes and rejects traversal sequences in task identifiers, filenames, and related path-derived inputs before forwarding requests to internal REST endpoints.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
DifyDifyapplication
LanggeniusDifyapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
security weekNews
Jun 23, 2026
Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps - SecurityWeek

A critical vulnerability in Dify’s plugin daemon that enables arbitrary internal API access via GET and POST requests and can be abused for path traversal and cross-tenant impact.

Read more
cyber security newsNews
Jun 23, 2026
DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants - 1M+ Apps Impacted

A critical unauthenticated path traversal vulnerability in Dify Plugin Daemon that can expose internal APIs.

Read more
the hacker newsNews
Jun 22, 2026
Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants

A path traversal vulnerability in Dify that allows authenticated users to manipulate forwarded requests to the Plugin Daemon internal REST API and access private internal endpoints.

Read more
dark readingNews
Jun 22, 2026
DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories

A Plugin Daemon path traversal vulnerability in Dify that permits unauthorized access to exposed internal Plugin Daemon functionality, currently including debug/pprof performance data, and represents a broader architectural flaw.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-41948
NVD
nvd.nist.gov/vuln/detail/CVE-2026-41948
MITRE CWE · CWE-22
cwe.mitre.org
Patch
github.com/langgenius/dify/pull/35796
Third Party Advisory
huntr.com/bounties/35b7ad59-e35d-443f-bf77-387bfb932ec0
Third Party Advisory
vulncheck.com/advisories/dify-path-traversal-via-plugin-daemon-internal-api-access