CVE-2026-21866 is a stored cross-site scripting (XSS) vulnerability identified in the langgenius Dify platform, an open-source tool for developing applications using large language models (LLMs). The vulnerability exists in versions prior to 1.11.2 and is specifically related to the rendering of Mermaid diagrams within chat interfaces. Mermaid is a popular JavaScript-based diagramming and charting tool that allows users to create diagrams from text definitions. Dify’s default Mermaid configuration uses securityLevel: loose, which does not sufficiently sanitize or neutralize potentially malicious input embedded in Mermaid diagram definitions. This improper neutralization allows attackers to inject and store malicious scripts that execute when other users view the affected chat containing the diagram. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. The CVSS 4.0 vector indicates the attack can be performed remotely without authentication (AV:N/AC:L/PR:L/AT:N), requires user interaction (UI:P), and impacts the integrity and confidentiality of user sessions with limited scope and low complexity. Although no known exploits have been reported in the wild, the risk remains significant due to the potential for session hijacking, credential theft, or other malicious actions via script execution in users’ browsers. The issue is resolved in version 1.11.2 by modifying the Mermaid configuration to a more restrictive security level that properly sanitizes input and prevents script execution. This fix eliminates the stored XSS risk by ensuring that embedded Mermaid diagrams cannot carry executable malicious payloads.

The primary impact of CVE-2026-21866 is the potential compromise of user confidentiality and integrity through stored XSS attacks. Attackers can inject malicious scripts into Mermaid diagrams within chat messages, which execute in the browsers of other users viewing those chats. This can lead to session hijacking, theft of authentication tokens, unauthorized actions on behalf of users, or the spread of malware. For organizations relying on Dify for LLM app development and collaboration, this vulnerability could expose sensitive internal communications or user data to attackers. The attack requires low privileges but does require user interaction (viewing the malicious chat content). The scope is limited to users of affected Dify versions and those who access the vulnerable chat interfaces. While availability is not directly impacted, the breach of confidentiality and integrity can have severe consequences, including reputational damage, regulatory penalties, and operational disruption. Since Dify is open-source and used globally, organizations that have not upgraded to version 1.11.2 remain at risk, especially those with collaborative environments where untrusted users can submit Mermaid diagrams. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as public disclosure may prompt attackers to develop exploits.

1. Upgrade Dify installations to version 1.11.2 or later immediately to apply the fix that changes the Mermaid configuration to a secure securityLevel, preventing unsafe script execution. 2. Review and restrict user permissions to limit who can submit or edit Mermaid diagrams within chats, reducing the attack surface. 3. Implement input validation and sanitization on Mermaid diagram definitions before rendering, applying additional server-side checks if possible. 4. Monitor chat logs and user submissions for suspicious Mermaid content or unexpected script tags. 5. Educate users about the risks of interacting with untrusted chat content and encourage cautious behavior when clicking or viewing diagrams. 6. Consider deploying Content Security Policy (CSP) headers that restrict script execution sources to mitigate impact if malicious scripts are injected. 7. Regularly audit and update third-party libraries and dependencies, including Mermaid, to ensure security patches are applied promptly. 8. Employ web application firewalls (WAFs) with rules tuned to detect and block XSS payloads in chat inputs. These measures collectively reduce the likelihood and impact of exploitation beyond simply upgrading the software.