CVE-2026-28288 is an information disclosure vulnerability categorized under CWE-204 (Observable Response Discrepancy) affecting the Dify platform developed by langgenius. Dify is an open-source platform designed for building applications leveraging large language models (LLMs). Prior to version 1.9.0, the Dify API responded differently when queried with email addresses associated with existing accounts compared to those not registered. This discrepancy in API responses enables an attacker to perform account enumeration attacks by systematically testing email addresses and observing the API's behavior. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) reflects a network attack vector with low complexity and no privileges or user interaction required, but with limited impact confined to confidentiality (partial information disclosure). The flaw could be leveraged by attackers to gather valid user emails, which can then be used in targeted phishing campaigns, social engineering, or brute force attempts against user accounts. The issue was addressed in Dify version 1.9.0 by normalizing API responses to eliminate observable differences between valid and invalid account queries, thus preventing enumeration. No public exploits have been reported, but the vulnerability's presence in an open-source platform increases the risk of discovery and exploitation if unpatched.

The primary impact of CVE-2026-28288 is the unauthorized disclosure of registered email addresses through account enumeration. This can lead to increased risk of targeted phishing attacks, social engineering, and credential stuffing campaigns against users of the affected platform. Organizations using vulnerable versions of Dify expose their user base to privacy risks and potential downstream compromise if attackers leverage enumerated emails for further attacks. While the vulnerability does not directly allow account takeover or system compromise, the information gained can be a critical first step in multi-stage attacks. For enterprises deploying Dify-based applications, this could result in reputational damage, regulatory compliance issues related to user data protection, and increased operational costs for incident response. The vulnerability affects all deployments running versions prior to 1.9.0, regardless of environment, due to its network-exploitable nature without authentication or user interaction.

To mitigate CVE-2026-28288, organizations should immediately upgrade all Dify instances to version 1.9.0 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement network-level controls such as rate limiting and IP blacklisting to reduce the risk of automated enumeration attempts. Additionally, monitor API access logs for unusual patterns indicative of enumeration, such as high volumes of email verification requests from single IP addresses. Employ application-layer protections like web application firewalls (WAFs) configured to detect and block enumeration behaviors. Educate users about phishing risks and encourage strong, unique passwords combined with multi-factor authentication (MFA) to mitigate risks from potential credential stuffing attacks. Finally, review and minimize the amount of information returned in API error messages or responses to avoid leaking account existence details.