External risk intelligence

Dify app can be hijacked to redirect all messages to attacker systems

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-41947

Dify has a critical flaw allowing editors to redirect all messages and responses from any application to attacker-controlled systems, with easy public access for exploitation.

5Halo Surface Signal

Dify

1.14.1 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-41947

Dify is a web-based LLM application development platform provided as a SaaS service. The vulnerable trace configuration endpoints are part of the platform's web interface, which is exposed to the internet by design to support users. Because the product functions as a public-facing web application and API service, its endpoints are routinely reachable from the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-41947

Yes

CVE-2026-41947 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthorized users to bypass authorization controls and redirect sensitive data, posing a significant risk to systems subject to PCI DSS scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Dify allows authenticated users with editor access to bypass tenant restrictions, enabling them to redirect messages and responses from any application to their own trace providers. This could lead to unauthorized access and manipulation of sensitive data flowing through the Dify platform.

  • Data interception and redirection.
  • Affects users of Dify.
  • Cloud version is easily accessible.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by chaining two flaws. First, unauthenticated users can register on Dify Cloud, granting them an editor role. Then, this editor can abuse the authorization bypass to reconfigure tracing for any application, redirecting sensitive messages and LLM responses to their own trace provider.

  • Unauthenticated registration required.
  • Target trace configuration endpoints.
  • Redirect LLM data.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows authenticated users to manipulate trace configurations across any application, potentially redirecting sensitive messages to attacker-controlled endpoints. The service's cloud offering permits unauthenticated free self-registration, significantly lowering the barrier for attackers to gain access and exploit this flaw. The current threat picture suggests a high likelihood of weaponization due to the ease of access and direct impact on data exfiltration.

  • Public exploit available.
  • Authentication bypass for editors.
  • Critical impact on data privacy.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and isolating Dify instances running versions prior to 1.14.2, as an authorization bypass allows any authenticated editor to control trace configurations across tenants. Given that Dify Cloud allows unauthenticated self-registration and exploits can redirect all messages to attacker-controlled providers, immediate action is critical.

  • Block access to trace configuration endpoints.
  • Block all network traffic from affected Dify instances.
  • Update Dify to version 1.14.2 or later.

Frequently asked questions

What is Dify and what is it used for?

Dify is a platform for developing LLM-powered applications. It is used to build and manage applications that leverage large language models, facilitating tasks like message processing and response generation.

What type of vulnerability does CVE-2026-41947 describe in Dify?

CVE-2026-41947 is an authorization bypass vulnerability (CWE-639) in Dify. It allows authenticated editor users to alter trace configurations for any application, regardless of who owns it.

How can an attacker exploit Dify's trace configuration vulnerability?

An attacker can exploit this by first registering on Dify Cloud, which is open to unauthenticated users. This grants editor access, which can then be used to access trace configuration endpoints and redirect messages and responses to an attacker-controlled trace provider.

Who should be concerned about this Dify vulnerability?

Organizations using Dify should be concerned. Dify functions as a public-facing web application and API service, making its endpoints reachable from the internet, and this vulnerability affects its core functionality. [cite:Halo Surface Signal]

What is the first step to address this Dify vulnerability?

The first step is to update Dify to version 1.14.2 or later. This resolves the authorization bypass flaw that allows unauthorized modification of trace configurations.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified