6 matches found
EUVD-2026-30771
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencod...
CVE-2026-41948 Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencod...
CVE-2026-41948
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencod...
CVE-2026-41947
Affected product: Dify v1.14.1 and prior. Vulnerability: authorization bypass in trace configuration endpoints due to missing tenant ownership checks. Impact: authenticated editor users can set/enable trace configurations for any application and redirect messages/responses to attacker‑controlled ...
CVE-2026-41947 Dify < 1.14.2 Authorization Bypass via Trace Configuration Endpoints
Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to...
PT-2026-41674
Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints...