CVE-2025-56157
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk52th percentile - higher than 52% of all known CVEs
Summary
Dify up to version 1.5.1 includes default PostgreSQL credentials (username and password) in its docker-compose.yaml file. The vendor reports that PostgreSQL is not exposed on TCP port 5432 by default since version 1.0.1.
Risk Assessment
An attacker with access to the internal network or the configured container could exploit the default credentials to compromise the database, leading to data leakage or modification.
Recommendation
Change the default PostgreSQL password in the docker-compose.yaml file before deploying the container. Ensure port 5432 is not exposed externally unless absolutely necessary.
Original NVD description (English source)
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.

