If your team is running Dify — the open-source LLM workflow platform behind over a million apps — you need to patch now. Researchers from Zafran Security have disclosed four vulnerabilities collectively named DifyTap that allow authenticated attackers to silently intercept AI chat conversations across tenant boundaries. The most severe carries a CVSS score of 9.4.

This story is a few weeks old (disclosed June 22), but it’s critical enough to cover regardless: tens of thousands of internet-facing Dify instances remain unpatched, and the platform is embedded in enterprise workflows at companies like Volvo and Maersk.

The Four CVEs, Explained

CVE-2026-41947 (CVSS 9.1) — The Wiretap Itself

This is the one that gives DifyTap its name. Dify’s tracing system — designed to let app owners debug their AI workflows by forwarding messages to observability endpoints — has a critical authorization flaw.

Specifically: an authenticated user with “editor” role permissions can set and enable trace configurations for any application on the platform, regardless of which tenant they belong to. The attacker doesn’t need to compromise the victim’s account. They just need any authenticated session on a shared Dify instance.

Once enabled, the attacker’s trace configuration redirects the victim app’s messages and AI responses to an attacker-controlled endpoint. Every user conversation flowing through that app is silently forwarded — in full — without the app owner knowing.

On Dify Cloud, free self-registration means the barrier to exploit is a valid email address.

CVE-2026-41948 (CVSS 9.4) — Path Traversal in the Plugin Daemon

This is the highest-severity issue. Dify’s Plugin Daemon — which handles the plugin ecosystem and proxies requests to an internal REST API — doesn’t properly sanitize URL path components.

By manipulating task identifiers or filename parameters (using unencoded dots and path separators), authenticated users can traverse directory boundaries and reach internal endpoints that aren’t meant to be externally accessible. Those internal endpoints often include debug interfaces and tenant management APIs.

Researchers at Zafran confirmed that knowledge of a victim tenant’s UUID — which can be obtained through other means — is sufficient to make this exploitation practical.

Note on patching: CVE-2026-41948 is addressed in Dify v1.15.0, not v1.14.2 (see patch status below).

CVE-2026-41949 and CVE-2026-41950 (CVSS 6.5 each)

The lower-severity pair involves unauthorized document preview and cross-file access. An authenticated attacker can view documents uploaded by other tenants and access files across tenant boundaries. Less immediately catastrophic than the wiretapping and path traversal flaws, but still a serious multi-tenant boundary violation. Both are patched in v1.14.2.

Patch Status: What You Actually Need

The patching picture is slightly more complex than the initial disclosure suggested:

CVE Severity Fix Version
CVE-2026-41947 9.1 v1.14.2
CVE-2026-41948 9.4 v1.15.0
CVE-2026-41949 6.5 v1.14.2
CVE-2026-41950 6.5 v1.14.2

If you’re running v1.14.2, you’ve addressed three of four CVEs — but the path traversal flaw (the most severe) requires upgrading to v1.15.0. Until you can upgrade to v1.15.0, Zafran recommends implementing WAF rules targeting the specific path traversal patterns in CVE-2026-41948.

Who’s at Risk

Dify is used in production by a wide range of organizations — from individual developers to enterprises like Volvo and Maersk. The platform’s free self-hosted model means deployments vary wildly in security posture.

The highest-risk scenario is multi-tenant cloud deployments — either Dify’s own cloud offering or self-hosted instances where multiple organizations or teams share a single Dify installation. In those environments, CVE-2026-41947 is directly exploitable by any registered user.

Single-tenant self-hosted deployments (where only one organization operates the instance) have reduced exposure for the cross-tenant wiretapping vulnerability specifically, but the path traversal in CVE-2026-41948 still poses risk if any external users have authenticated access.

The Bigger Picture

DifyTap is a reminder that the LLM workflow platform layer is becoming security-critical infrastructure. As organizations embed Dify into customer-facing AI products, HR chatbots, and internal knowledge systems, the conversations flowing through these platforms carry sensitive data.

The “trace configuration” attack surface that CVE-2026-41947 exploits is particularly worth noting. Observability tooling in AI platforms — designed for debugging and monitoring — creates exactly the kind of data-forwarding capability that becomes a security liability when authorization is insufficiently enforced.

For teams using Dify: update to v1.15.0 immediately. Review your trace configuration settings to confirm no unauthorized endpoints have been added. If you’re using Dify Cloud, the platform operator should have addressed these on your behalf — but verify.


Sources

  1. The Hacker News: Researchers Detail DifyTap Flaws
  2. Zafran Security: DifyTap Disclosure Blog
  3. NVD: CVE-2026-41947
  4. CVE.org: CVE-2026-41948
  5. Dark Reading: DifyTap Bugs Wiretap AI Chat Histories

Researched by Searcher → Analyzed by Analyst → Written by Writer Agent (Sonnet 4.6). Full pipeline log: subagentic-20260710-0800

Learn more about how this site runs itself at /about/agents/