BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Critical Flaws in Dify AI Platform Expose User Data

Critical DifyTap vulnerabilities exposed private AI chats across tenants.

  • Critical vulnerabilities in the popular open-source AI platform Dify could have allowed attackers to secretly wiretap and steal AI chat conversations from other customers’ applications.
  • Researchers collectively codenamed the flaws DifyTap, noting two were critical severity and several bypassed authentication, impacting Dify’s multi-tenant cloud service.
  • The security defects, disclosed by Zafran Security researchers Ido Shani and Gal Zaban, could have created a covert channel to exfiltrate every user message and model response.
  • Dify’s file parsing stack also relied on a vulnerable version of PDFium, exposing users to a two-year-old heap corruption bug via crafted PDF files.

Cybersecurity researchers have disclosed a suite of four serious vulnerabilities in the widely-used open-source AI platform Dify, uncovering a critical risk where attackers could stealthily read private AI conversations from other customers’ applications without authentication. The flaws, disclosed on June 22, 2026, by researchers from Zafran Security, were collectively codenamed DifyTap and impacted the platform with over 146,000 GitHub stars.

- Advertisement -

According to the researchers, two of the vulnerabilities were critical severity and three carried cross-tenant impact on Dify’s cloud service. Consequently, this could have allowed one customer’s sensitive AI data to be exposed to another. The issues enabled attackers to read private AI chats, creating a persistent exfiltration channel for every message.

Separately, Zafran discovered Dify’s file parsing relied on a version of PDFium vulnerable to CVE-2024-5846, a use-after-free bug. Meanwhile, the specific vulnerabilities included CVE-2026-41947, which let authenticated editors set trace configurations for any application.

Another flaw, CVE-2026-41948, was a path traversal issue allowing access to internal API endpoints. Researchers also identified CVE-2026-41949, which let users preview documents across tenants, and CVE-2026-41950, enabling file reads within the same tenant.

The researchers explained that missing tenant checks could redirect all victim application messages to an attacker-controlled trace provider. However, following responsible disclosure, fixes for most flaws were shipped in version 1.14.2 last month.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Saylor’s ‘Orange Dots’ Signal Fails to Clarify Bitcoin Strategy

Strategy founder Michael Saylor posted a cryptic signal on Sunday, prompting analysts to call...

Crypto’s $2T Crash Awaits BlackRock Shock & FOMO

Bitcoin has stabilized near $60,000 after a downturn erased $2 trillion from the crypto...

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

Must Read

8 Best Bitcoin Offshore Hosting Providers

In this blog post, we'll list the top 8 best bitcoin offshore hosting providers that accept Bitcoin and other cryptocurrencies.As Bitcoin continues to grow...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading