CVE-2026-41948CRITICAL 9.4EPSS p37.6%

CVE-2026-41948CVE-2026-41948

Description

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

Scoring

CVSS 3.19.4 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS0.48% probability of exploitation · percentile 37.6% · 2026-06-19T12:03:05Z
Published2026-05-18
Last modified2026-05-26

Underlying weaknesses· 1

CWE-23

References

  1. https://github.com/langgenius/dify/pull/35796
  2. https://huntr.com/bounties/35b7ad59-e35d-443f-bf77-387bfb932ec0
  3. https://www.vulncheck.com/advisories/dify-path-traversal-via-plugin-daemon-internal-api-access

1

TypeTargetConfidenceTier
WeaknessRelative Path Traversalcwe-230%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41947
CVE
CVE-2025-63388
CVE
CVE-2025-63386
CVE
CVE-2025-34159
CVE
CVE-2025-64419
CVE
CVE-2026-23899
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.