PatchSiren cyber security CVE debrief
CVE-2026-41947 langgenius CVE debrief
A critical authorization bypass vulnerability in Dify (versions 1.14.1 and prior) allows authenticated editor users to manipulate trace configurations for applications outside their tenant scope. The flaw stems from missing tenant ownership validation in trace configuration endpoints, enabling attackers to redirect messages and responses from victim applications to attacker-controlled LLM trace providers. The vulnerability is particularly severe because Dify Cloud permits unauthenticated free self-registration, allowing trivial account creation for exploitation. The issue was disclosed on 2026-05-18 and modified on 2026-05-19. A patch is available via GitHub pull request.
- Vendor
- langgenius
- Product
- dify
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-26
Who should care
Organizations operating multi-tenant Dify deployments, particularly Dify Cloud customers and self-hosted instances with open registration. Security teams responsible for LLM application governance, data loss prevention, and tenant isolation in AI platforms. Developers building on Dify who rely on trace functionality for observability should verify their configurations haven't been tampered with.
Technical summary
The vulnerability exists in Dify's trace configuration endpoints where tenant ownership checks are insufficiently enforced. Authenticated users with editor privileges can modify trace settings for applications belonging to other tenants. This allows redirection of sensitive LLM interactions—including user messages and model responses—to external systems controlled by the attacker. The attack vector is network-accessible with high attack complexity due to authentication requirements, but the impact is severe: complete confidentiality and integrity compromise of affected application data without availability impact. The CVSS 4.0 score of 9.1 reflects critical severity due to the high value of exfiltrated LLM data and the trivial account creation pathway in cloud deployments.
Defensive priority
critical
Recommended defensive actions
- Immediately upgrade Dify to a version beyond 1.14.1 or apply the patch from the vendor's GitHub repository
- Review and audit existing trace configurations for unauthorized LLM provider endpoints
- Implement additional tenant isolation controls at the application layer if immediate patching is not feasible
- Monitor for suspicious trace configuration changes in audit logs, particularly those targeting applications outside the modifying user's tenant scope
- Consider restricting self-registration capabilities or implementing additional verification steps for new accounts in Dify Cloud deployments
Evidence notes
Vulnerability confirmed through NVD with CVSS 4.0 vector. Exploitability confirmed via Huntr bounty platform. Patch available in GitHub PR #35793.
Official resources
-
CVE-2026-41947 CVE record
CVE.org
-
CVE-2026-41947 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Mitigation, Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
2026-05-18T15:16:25.827Z