Four Critical Vulnerabilities in Dify AI Platform Expose Data Across 1 Million Apps
What Happened — Researchers at Zafran Labs disclosed four flaws (CVE‑2026‑41947 – CVE‑2026‑41950) in Dify, the open‑source AI platform that powers more than a million applications for over 60 industries. Two of the bugs are critical (CVSS 9.1 and 9.4) and require no authentication; they enable cross‑tenant data theft, arbitrary file access, and persistent exfiltration of chat logs. An additional issue left a vulnerable PDFium binary unpatched for 18 months, exposing the service to a known use‑after‑free exploit.
Why It Matters for Compliance & Audit Readiness
- The flaws bypass logical‑access controls and break tenant isolation – a direct violation of SOC 2 CC6.1 (Logical Access) and CC7.1 (System Operations).
- Continuous‑compliance programs must map these gaps to control objectives, collect remediation evidence, and retain a defensible audit trail.
- Verisq’s Control‑Mapping capability can automatically align discovered gaps with SOC 2 controls and generate the evidence needed for auditors.
Who Is Affected — Enterprises that have deployed Dify‑based AI assistants (e.g., Volvo, Maersk) and any SaaS provider that embeds Dify in customer‑facing applications across manufacturing, logistics, finance, and other sectors.
Recommended Actions
- Patch all four CVEs immediately and retire the outdated PDFium binary.
- Enforce authentication on tracing, plugin, and file‑preview endpoints; add tenant‑ID checks to all internal APIs.
- Update your SOC 2 control inventory to include “Tenant‑Isolation Validation” and “Secure API Configuration” and capture remediation evidence in your continuous‑compliance repository.
Source: Security Affairs
Technical Notes
- CVE‑2026‑41947 (CVSS 9.1) – unauthenticated tracing configuration allows exfiltration of all messages.
- CVE‑2026‑41948 (CVSS 9.4) – path‑traversal in plugin daemon enables GET/POST to arbitrary internal endpoints without login.
- CVE‑2026‑41949 / CVE‑2026‑41950 – file‑preview endpoints lack ownership or tenant checks, exposing any document.
- CVE‑2024‑5846 – use‑after‑free in PDFium remained unpatched until Dec 2025, exploitable via malicious PDFs.