A new set of bugs in a popular AI building platform could allow attackers to effectively wiretap vulnerable customers.
Researchers with security vendor Zafran discovered a series of four vulnerabilities in Dify, an open source AI platform that acts as a kind of orchestration layer to help organizations create, deploy, and manage AI applications without needing to build out the infrastructure themselves. Dify is exceedingly popular; it has more than 10 million pulls of its API image on Docket, and Zafran identified tens of thousands of Internet-facing Dify instances.
The set of vulnerabilities, referred to cumulatively as “DifyTap,” includes tracing configuration flaw CVE-2026-41947 (CVSS 9.1); Plugin Daemon path traversal vulnerability CVE-2026-41948 (CVSS 9.4); unauthorized document preview bug CVE-2026-41949 (CVSS 6.5); and cross-file user access flaw CVE-2026-41950 (CVSS 6.5).
If exploited, these vulnerabilities would enable attackers to leak private AI chat histories, traverse Dify’s internal Plugin Daemon API from unauthenticated requests, preview documents uploaded by other tenants without permission checks, and leak files across users within a tenant.
CVE-2026-41947, CVE-2026-41949, and CVE-2026-41950 have been patched in Dify version 1.14.2. A fix for CVE-2026-41948 has been merged on GitHub, and customers can build and deploy the most recent version on GitHub, which addresses all four flaws at once. Zafran’s blog post also notes that “For those currently operating on version 1.14.2, it is highly recommended to implement Web Application Firewall (WAF) rules specifically designed to mitigate CVE-2026-41948.”
How Attackers Could Exploit DifyTap
The four vulnerabilities under the DifyTap umbrella are grouped together for the purposes of the blog post, but they can exploited differently.
CVE-2026-41947 enables a tracing hijack and wiretapping-like capabilities. In AI terms, tracing refers to the ability to profile and monitor AI applications, and this vulnerability would allow a threat actor to take advantage of that. An attacker would create a Dify account, find a public-facing application, obtain the application’s internal App ID, call Dify’s tracing configuration API, and then register their own tracing back end.
Through this, the attacker would effectively establish a “persistent exfiltration channel for all messages and responses sent in the application,” the researchers said. For a company using Dify for a customer-facing chatbot, this would seize data including (but not limited to) user prompts, model responses, and chat histories.
CVE-2026-41948 deals with the Plugin Daemon, the service Dify uses for managing and running plug-ins. The vulnerability allows an attacker to access exposed parts of the internal Plugin Daemon they shouldn’t be able to. While the immediate impact is limited, it represents an architectural flaw that could grow worse if another vulnerability comes around.
“The current impact is limited in scope, primarily allowing access to debug/pprof for performance data,” the research read. “With this in mind, this is still a fundamental architectural flaw; any new or changed endpoint in the Plugin Daemon could become a high-severity vulnerability.”
CVE-2026-41949 and CVE-2026-41950 both involve the Universally Unique Identifier (UUID) attached to documents, such as sensitive PDFs uploaded by a vulnerable company. If an attacker discovers a UUID in one way or another, CVE-2026-41949 allows the attacker to view document content from a preview endpoint with only the UUID, and CVE-2026-41950 allows the attacker to get an AI application to leak a file’s content through leveraging the UUID in a prompt without further authorization.
What CISOs Can Take Away From DifyTap
A spokesperson for Zafran tells Dark Reading it is not aware of any real-world exploitation attempts targeting the vulnerabilities to date.
The DifyTap flaws highlight the increased data security risks that come with AI applications because of how close they sit to the most sensitive parts of an enterprise. The spokesperson points out that “a simple authorization flaw can quickly become a cross-tenant data exposure issue,” and organizations should assume there may be hidden exposure within their AI stack.
“CISOs should treat AI platforms as critical enterprise systems: Maintain an inventory of deployed AI applications, ensure they are patched promptly, continuously monitor them, and perform the same level of security assessment they would apply to any Internet-facing business-critical technology,” the spokesperson says.
Dark Reading contacted Dify for comment.

No responses yet