CVE Catalog

CVE-2026-41948

CriticalCVSS 9.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.51%

39th percentile — higher than 39% of all known CVEs

Summary

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API. Attackers can exploit insufficient URL path sanitization to access internal endpoints.

Risk Assessment

This vulnerability may lead to unauthorized access to sensitive interfaces, posing a serious threat to the organization's data security. Additionally, the ease of account creation for attackers increases the risk.

Recommendation

It is recommended to update Dify to the latest version to mitigate this vulnerability and implement additional security measures, such as restricting account registration to trusted users.

Original NVD description (English source)

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS