CVE-2026-34082: CWE-863: Incorrect Authorization in langgenius dify
CVE-2026-34082 is a medium severity vulnerability in the open-source LLM app development platform Dify (langgenius). Before version 1. 13. 1, the DELETE API endpoint for removing conversations lacks proper authorization checks, allowing any authenticated user to delete chat histories belonging to other users. This issue is fixed in version 1. 13. 1. The vulnerability is classified under CWE-863 (Incorrect Authorization) and CWE-284 (Improper Access Control).
AI Analysis
Technical Summary
Dify versions prior to 1.13.1 contain an authorization flaw in the DELETE /console/api/installed-apps/<appId>/conversations/<conversationId> endpoint. The endpoint does not properly verify that the requesting user is authorized to delete the specified conversation, enabling any authenticated user to delete conversations owned by others. This vulnerability is addressed in version 1.13.1 of Dify.
Potential Impact
An authenticated user with legitimate access to the Dify platform but without proper authorization controls can delete chat histories of other users. This could lead to loss of important conversation data and potential disruption of user workflows. There is no indication of privilege escalation or remote code execution. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade Dify to version 1.13.1 or later, where this authorization issue has been fixed. Since the vendor advisory states the issue is patched in 1.13.1, applying this official fix fully mitigates the vulnerability. No additional mitigations are indicated.
CVE-2026-34082: CWE-863: Incorrect Authorization in langgenius dify
Description
CVE-2026-34082 is a medium severity vulnerability in the open-source LLM app development platform Dify (langgenius). Before version 1. 13. 1, the DELETE API endpoint for removing conversations lacks proper authorization checks, allowing any authenticated user to delete chat histories belonging to other users. This issue is fixed in version 1. 13. 1. The vulnerability is classified under CWE-863 (Incorrect Authorization) and CWE-284 (Improper Access Control).
CVSS v4.0
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Dify versions prior to 1.13.1 contain an authorization flaw in the DELETE /console/api/installed-apps/<appId>/conversations/<conversationId> endpoint. The endpoint does not properly verify that the requesting user is authorized to delete the specified conversation, enabling any authenticated user to delete conversations owned by others. This vulnerability is addressed in version 1.13.1 of Dify.
Potential Impact
An authenticated user with legitimate access to the Dify platform but without proper authorization controls can delete chat histories of other users. This could lead to loss of important conversation data and potential disruption of user workflows. There is no indication of privilege escalation or remote code execution. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade Dify to version 1.13.1 or later, where this authorization issue has been fixed. Since the vendor advisory states the issue is patched in 1.13.1, applying this official fix fully mitigates the vulnerability. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.868Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6b3b619fe3cd2cd3c6984
Added to database: 4/20/2026, 11:16:06 PM
Last enriched: 4/28/2026, 6:07:07 AM
Last updated: 6/3/2026, 10:20:05 AM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.