CVE-2026-41950

EUVD-2026-27504

05.05.2026, 21:16

Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
VulnCheck	CNA	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
langgenius	dify	𝑥 < 1.14.0	CNA

Common Weakness Enumeration

CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://github.com/langgenius/dify/releases/tag/1.14.0

https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d

https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-uuid

https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d