CVE-2026-41947

HIGH 7.4

Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints

CVSS Score

7.4

EPSS Score

0.0%

EPSS Percentile

0th

Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to redirect all messages and responses from victim applications to attacker-controlled LLM trace providers. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

CWE	CWE-639
Vendor	langgenius
Product	dify
Published	May 18, 2026
Last Updated	May 18, 2026

Stay Ahead of the Next One

Get instant alerts for langgenius dify

Be the first to know when new high vulnerabilities affecting langgenius dify are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

langgenius / dify

0 ≤ 1.14.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

huntr.com: https://huntr.com/bounties/a43076b2-fbc8-4750-9647-89a036b52f52 github.com: https://github.com/langgenius/dify/pull/35793 vulncheck.com: https://www.vulncheck.com/advisories/dify-authorization-bypass-via-trace-configuration-endpoints

Credits

Ido Shani and Gal Zaban of Zafran Security