Four critical vulnerabilities (CVE-2026-41947, CVE-2026-41948, CVE-2026-41949, CVE-2026-41950) were identified in the Dify AI platform. CVE-2026-41947 involves tenant validation bypass in tracing endpoints, enabling attackers to exfiltrate messages from any application on the platform. CVE-2026-41948 affects the plugin daemon, allowing arbitrary API calls and path traversal to access other tenants' plugin icons and environments. CVE-2026-41949 and CVE-2026-41950 relate to file identification and permission handling flaws, permitting unauthorized preview and retrieval of files across tenants. Additionally, a use-after-free vulnerability (CVE-2024-5846) in the PDFium library used by Dify's preview endpoint was present until patched in December 2025. Exploitation requires a Dify console user account, which is available upon signup. The vendor addressed these vulnerabilities in Dify version 1.14.2 and advises updating promptly and implementing WAF rules for CVE-2026-41948.

Successful exploitation allows attackers to bypass tenant isolation in the multi-tenant Dify platform, leading to unauthorized access to private chats, documents, and internal APIs of other tenants. This compromises confidentiality of sensitive data across multiple customers using the platform. The vulnerabilities enable persistent data exfiltration channels and cross-tenant environment manipulation, posing significant risks to data privacy and integrity for over 1 million applications relying on Dify.

A vendor patch is available in Dify version 1.14.2 that addresses all identified vulnerabilities. Users should update to this version immediately. Additionally, the vendor recommends implementing Web Application Firewall (WAF) rules specifically designed to mitigate exploitation of CVE-2026-41948. No indication was given that the vulnerabilities are already mitigated or require no action. Patch status is confirmed by the vendor advisory.