CVE-2026-34082

UNKNOWN 0.0

Dify has IDOR in deleting someone else's chat conversation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue.

CWE	CWE-863 CWE-284
Vendor	langgenius
Product	dify
Published	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for langgenius dify

Be the first to know when new unknown vulnerabilities affecting langgenius dify are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

langgenius / dify

< 1.13.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p github.com: https://github.com/langgenius/dify/releases/tag/1.13.1