Technical description
Dify version 1.14.1 and prior contains an authorization bypass vulnerability in trace configuration endpoints that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. The vulnerability is caused by missing tenant ownership checks in the trace configuration API, enabling cross-tenant privilege escalation.
Attack vector
An authenticated attacker with editor-level privileges can send crafted requests to trace configuration endpoints to modify or enable tracing for applications owned by other tenants, gaining visibility into application behavior and potentially sensitive data across tenant boundaries. Exploitation requires an authenticated account but does not require administrative privileges.
Affected systems
Dify open-source GenAI application development platform, versions up to and including 1.14.1. Dify is a widely-deployed LLM application orchestration platform used for building AI agents, RAG pipelines, and chatbot applications.
Mitigation
Upgrade to Dify version 1.14.2 or later, which includes tenant ownership validation in trace configuration endpoints. Organizations unable to upgrade immediately should restrict editor-level access to trusted users only and audit trace configuration changes for unexpected cross-tenant activity. Review application logs for unauthorized trace configuration modifications.