Cybersecurity researchers at **Zafran Security** have disclosed details on four critical vulnerabilities affecting **Dify**, an open-source agentic workflow platform boasting over 146,000 GitHub stars. Collectively codenamed **DifyTap**, these flaws could have enabled attackers to surreptitiously intercept and read AI conversations from other customers' applications without requiring any authentication. "Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify's multi-tenant cloud service, allowing one customer's data to be exposed to another," explained researchers Ido Shani and Gal Zaban. The vulnerabilities created a covert exfiltration channel, potentially exposing every message and model response from private AI chats. Attackers could also traverse **Dify**'s internal Plugin Daemon API from unauthenticated requests, trigger cross-tenant internal API calls, preview documents uploaded by other tenants, and leak files across users within a tenant by manipulating file unique identifiers.  **Zafran Security** also identified that **Dify**'s file parsing stack utilized an outdated version of **PDFium**, a C++ library for PDF rendering. This version was susceptible to **CVE-2024-5846** (CVSS score: 8.8), a two-year-old use-after-free bug that could lead to heap corruption via a crafted PDF file. The remaining identified vulnerabilities include: * **CVE-2026-41947** (CVSS score: 9.1): An authorization bypass allowing authenticated editor users to set and enable trace configurations for any application, regardless of tenant ownership. * **CVE-2026-41948** (CVSS score: 9.4): A path traversal vulnerability enabling authenticated users to manipulate requests to the Plugin Daemon's internal REST API, exploiting insufficient URL path sanitization to access internal, private endpoints. * **CVE-2026-41949** (CVSS score: 7.5/5.9): An authorization bypass in the file preview endpoint (`/console/api/files/{file_id}/preview`), allowing any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. * **CVE-2026-41950** (CVSS score: 6.5): An authorization bypass allowing authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Missing tenant ownership checks could be exploited to redirect all messages and responses from victim applications to an attacker-controlled Large Language Model (LLM) trace provider. Notably, **Dify** allows free account registration, broadening the potential attack surface. "Consequently, an attacker can configure their own tracing for any application they can access as a client, which includes all publicly accessible applications," the researchers elaborated. "This allows an attacker to create a persistent exfiltration channel for all messages and responses sent in the application."  Following responsible disclosure, all vulnerabilities except **CVE-2026-41948** have been patched in **Dify version 1.14.2**, released last month. A fix for the remaining flaw is anticipated in the next **Dify** release. "DifyTap demonstrates where the challenge lies in vulnerability visibility, particularly in container images, where differences between deployments can create visibility gaps that traditional scanners cannot detect," **Zafran Security** highlighted, underscoring the complexities of securing modern, containerized applications.