CVE-2026-41949 Dify < 1.14.2 Authorization Bypass via File Preview Endpoint

Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...

CVE-2026-41949 Dify < 1.14.2 Authorization Bypass via File Preview Endpoint

Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...

CVE-2026-41948

Dify v1.14.1 (and prior) is affected by a path traversal vulnerability in the Plugin Daemon internal API caused by insufficient URL path sanitization. authenticated users can traverse outside their tenant path using unencoded dot sequences in task IDs or manipulated filename parameters to reach i...

EUVD-2026-30772

Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints...

PT-2026-41676

Name of the Vulnerable Software and Affected Versions Dify versions prior to 1.14.2 Description An authorization bypass exists in the file preview endpoint, allowing any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces. This is possible ...