CVE-2026-41948

Name: CVE-2026-41948
Creator: NVD / NIST
Published: 2026-05-18T15:16:25.977+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.3/10EPSS 0.51%

Last modified Jun 22, 2026

CVE-2026-41948 is a critical-severity vulnerability rated 9.3/10 on the CVSS scale. Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. EPSS estimates a 0.51% chance of exploitation in the next 30 days.

Description

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

Metrics

CVSS 3.1

9.4/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVSS 4.0

9.3/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.51%

39.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-23

Affected Software

Vendor	Product	Versions
Dify	Dify	<= 1.14.1

References

https://github.com/langgenius/dify/pull/35796Issue Tracking, Mitigation, Patch
https://huntr.com/bounties/35b7ad59-e35d-443f-bf77-387bfb932ec0Exploit, Third Party Advisory
https://www.vulncheck.com/advisories/dify-path-traversal-via-plugin-daemon-internal-api-accessThird Party Advisory
https://www.zafran.io/resources/difytap-zafran-discovers-how-attackers-can-silently-wiretap-ai-data-across-tenants-on-a-platform-powering-1m-apps

Timeline

Published: May 18, 2026
Last Modified: Jun 22, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2026-41948?

How severe is CVE-2026-41948?

CVE-2026-41948 has a CVSS score of 9.3/10 (CRITICAL severity). The EPSS model estimates a 0.51% probability of exploitation in the next 30 days.

How do I fix CVE-2026-41948?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-41948?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST