What happened
Zafran Security disclosed four vulnerabilities (DifyTap) in Dify, the open-source LLMOps platform powering 1M+ AI applications. Three are cross-tenant in the cloud deployment. The most severe (CVE-2026-41947) lets any registered user configure LLM tracing on victim applications, creating a persistent covert channel that captures every message and model response. CVE-2026-41948 (CVSS 9.4) is an unauthenticated path traversal in the Plugin Daemon API and remains unpatched. Two additional flaws expose documents across tenants via file UUID enumeration with no permission checks.
Why it matters
Dify is one of the most widely adopted LLMOps platforms in production. Cross-tenant conversation interception means one attacker can silently wiretap AI conversations — including prompts, system instructions, and model responses — from any public application on the platform. This is a structural AI data-pipeline compromise affecting proprietary prompts, RAG content, and sensitive business workflows across all industries using Dify cloud.
Attack vector
CVE-2026-41947 (CVSS 9.1): Authenticated attacker configures tracing on any public application without tenant validation, capturing all chat messages and model responses. CVE-2026-41948 (CVSS 9.4, unpatched): Unauthenticated path traversal in Plugin Daemon API allows access to internal endpoints across tenants. CVE-2026-41949/41950: Auth bypass on file preview/attachment endpoints exposes documents from other tenants using only a file UUID.
Affected systems
Dify (langgenius/dify) < 1.14.2 (CVE-2026-41948 unpatched at disclosure)
Mitigation
Upgrade to Dify 1.14.2 (patches CVE-2026-41947, 41949, 41950). CVE-2026-41948 fix merged to main but not yet released — apply vendor mitigations. Primary advisory: https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps