PatchSiren cyber security CVE debrief
CVE-2026-61461 langgenius CVE debrief
CVE-2026-61461 is a SQL injection vulnerability in Dify before 1.16.0-rc1. The vulnerability allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the search_by_full_text method without escaping or parameterization. Attackers can inject malicious SQL through the search parameters to read, modify, or delete data in the underlying ClickHouse database. This vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. Users of Dify before version 1.16.0-rc1 should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- langgenius
- Product
- dify
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Dify before version 1.16.0-rc1 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 1.16.0-rc1 or later, and ensuring that search parameters are properly sanitized and escaped. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability's impact on their environments and implement necessary controls.
Technical summary
The vulnerability is caused by a lack of input validation and sanitization in the search_by_full_text method of the MyScale vector store backend. This allows attackers to inject malicious SQL code, which can be used to read, modify, or delete data in the underlying ClickHouse database. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. Affected users should note that the MyScale vector store backend is used in Dify before version 1.16.0-rc1, and the vulnerability can be exploited through unsanitized search parameters.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 1.16.0-rc1 or later
- Ensure that search parameters are properly sanitized and escaped
- Monitor for suspicious activity on the ClickHouse database
- Implement additional security controls, such as web application firewalls and intrusion detection systems
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability was reported by Vulncheck and is described in their advisory. The CVE record was published on 2026-07-10T19:17:27.713Z and was last modified on 2026-07-10T20:16:49.137Z. The NVD entry is currently Undergoing Analysis. There is limited information available about the specific attack vectors or potential impact, so defenders should verify the vulnerability's presence and scope in their environments.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:27.713Z and has not been modified since then.