CVE-2026-41948
CriticalCVSS 9.4Exploitation Probability (EPSS)
Low risk39th percentile — higher than 39% of all known CVEs
Summary
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API. Attackers can exploit insufficient URL path sanitization to access internal endpoints.
Risk Assessment
This vulnerability may lead to unauthorized access to sensitive interfaces, posing a serious threat to the organization's data security. Additionally, the ease of account creation for attackers increases the risk.
Recommendation
It is recommended to update Dify to the latest version to mitigate this vulnerability and implement additional security measures, such as restricting account registration to trusted users.
Original NVD description (English source)
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

