CVE-2026-41948 Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencod...

CVE-2026-41947

Affected product: Dify v1.14.1 and prior. Vulnerability: authorization bypass in trace configuration endpoints due to missing tenant ownership checks. Impact: authenticated editor users can set/enable trace configurations for any application and redirect messages/responses to attacker‑controlled ...