Cybersecurity researchers have disclosed a set of four vulnerabilities in Dify, a widely used open-source agentic workflow platform with over 146,000 GitHub stars, that could allow attackers to silently access and exfiltrate private AI chat data across different customer environments. The flaws, collectively named “DifyTap” by Zafran Security, could be exploited without authentication in certain scenarios and primarily impact Dify’s multi-tenant architecture, where isolation between customers is expected to prevent data leakage.
According to researchers Ido Shani and Gal Zaban, two of the vulnerabilities are rated critical, with three enabling cross-tenant data exposure in Dify’s cloud deployment. In practical terms, an attacker could read private prompts and model responses from other users’ applications, effectively creating a hidden channel to intercept every message flowing through affected systems. The issues also extend to Dify’s internal Plugin Daemon API, where unauthenticated access could be used to trigger internal requests, traverse privileged endpoints, and even access files belonging to other tenants or users.
Additional flaws include authorization bypasses and path traversal issues that further weaken tenant isolation. These include CVE-2026-41947, which allows unauthorized configuration of tracing settings across applications; CVE-2026-41948, which enables manipulation of internal Plugin Daemon API routes; CVE-2026-41949, which exposes portions of uploaded documents across tenants via file preview endpoints; and CVE-2026-41950, which allows users to retrieve full file contents belonging to others within the same tenant using only a file UUID. Researchers also noted that the file processing pipeline relied on an outdated version of PDFium affected by a known use-after-free vulnerability (CVE-2024-5846), potentially expanding the attack surface further.
Beyond direct data exposure, the missing tenant ownership checks could allow attackers to redirect application traces and LLM outputs to external endpoints under their control, effectively turning legitimate integrations into persistent data exfiltration channels. Because Dify allows open account registration, researchers warn that any publicly accessible application could be targeted. Following responsible disclosure, most issues have been patched in version 1.14.2, with the remaining fix expected in an upcoming release. The Dify team noted that the findings highlight the difficulty of maintaining security visibility in containerized deployments, where subtle configuration differences can obscure serious isolation failures.
