CVE-2026-41950
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk25th percentile - higher than 25% of all known CVEs
Summary
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant. By supplying an arbitrary file UUID in the files array of a chat-messages request, attackers can exploit insufficient permission verification.
Risk Assessment
This vulnerability may lead to unauthorized access to sensitive data, posing a serious threat to privacy and information security within the organization.
Recommendation
It is recommended to update Dify to version 1.14.0 or later to mitigate this vulnerability and implement additional permission verification mechanisms.
Original NVD description (English source)
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.

