CVE-2026-41948

Published: May 18, 2026

Modified: May 26, 2026

PUBLISHED

CVSS v3.1

9.4

CRITICAL

Description

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

Vendor	Product	Versions
langgenius	dify	affected `0 - <= 1.14.1`

Weaknesses (CWE)

CWE-23

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

References

https://huntr.com/bounties/35b7ad59-e35d-443f-bf77-387bfb932ec0

technical-description

exploit

https://github.com/langgenius/dify/pull/35796

issue-tracking

https://www.vulncheck.com/advisories/dify-path-traversal-via-plugin-daemon-internal-api-access

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41948

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References