CVE-2026-21866 Overview
CVE-2026-21866 is a stored Cross-Site Scripting (XSS) vulnerability affecting Dify, an open-source LLM (Large Language Model) application development platform. The vulnerability exists in the Mermaid diagram rendering functionality within the chat interface. Due to an insecure default configuration where Dify uses securityLevel: loose for Mermaid diagrams, attackers can inject and execute malicious scripts that persist within chat conversations.
Critical Impact
Authenticated attackers can inject persistent malicious scripts through Mermaid diagrams in chat interfaces, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of other users.
Affected Products
- Dify versions prior to 1.11.2
- Dify LLM application development platform (all deployments with default Mermaid configuration)
- Self-hosted and cloud-based Dify installations with chat functionality enabled
Discovery Timeline
- 2026-03-03 - CVE CVE-2026-21866 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-21866
Vulnerability Analysis
This stored XSS vulnerability stems from insecure configuration of the Mermaid diagramming library within Dify's chat rendering pipeline. Mermaid is a JavaScript-based tool that renders text-based diagram definitions into visual diagrams. When Dify processes chat messages containing Mermaid diagram syntax, it uses the securityLevel: loose configuration option, which disables critical security protections designed to prevent script execution.
The vulnerability allows an authenticated attacker to craft a malicious Mermaid diagram definition that, when rendered by the application, executes arbitrary JavaScript code in the context of other users viewing the chat. Because this is a stored XSS vulnerability, the malicious payload persists in the chat history and executes each time a user views the affected conversation.
The attack requires low complexity to execute but does require user interaction—a victim must view the chat containing the malicious diagram. The primary impact is on the confidentiality and integrity of other users' sessions within the Dify platform.
Root Cause
The root cause of CVE-2026-21866 is an insecure default configuration choice in Dify's Mermaid integration. The Mermaid library provides multiple security levels:
- strict - Prevents all potentially dangerous content
- loose - Allows click functionality and other potentially unsafe features
- antiscript - Allows click functionality but sanitizes script-like content
- sandbox - Renders diagrams in an isolated iframe
Dify's implementation defaulted to securityLevel: loose, which permits inline event handlers and other mechanisms that can execute JavaScript. This configuration decision prioritized functionality over security, allowing attackers to bypass content security measures that would otherwise prevent script injection through diagram rendering.
Attack Vector
The attack is network-based and exploits the Mermaid diagram rendering feature within Dify's chat interface. An authenticated attacker with access to a Dify workspace can inject a specially crafted Mermaid diagram containing malicious JavaScript payloads. The diagram syntax supports click handlers and callbacks that, under the loose security level, execute when rendered.
When other users in the same workspace view the chat conversation containing the malicious diagram, the embedded JavaScript executes in their browser context. This can be leveraged to steal session tokens, perform actions on behalf of the victim, redirect users to phishing pages, or exfiltrate sensitive data from the application.
The attack persists because chat messages are stored server-side, meaning the malicious payload affects all users who subsequently view the compromised conversation without requiring the attacker to maintain an active presence.
Detection Methods for CVE-2026-21866
Indicators of Compromise
- Chat messages containing Mermaid diagram syntax with embedded click handlers, event attributes, or JavaScript URIs
- Unexpected network requests originating from chat interface pages to external domains
- Session token exfiltration attempts or unauthorized API calls correlating with chat viewing activity
- User reports of unusual behavior when viewing specific chat conversations
Detection Strategies
- Monitor application logs for Mermaid diagram submissions containing suspicious patterns such as javascript:, onclick, or base64-encoded payloads
- Implement Content Security Policy (CSP) headers that restrict inline script execution and report violations to a logging endpoint
- Deploy web application firewalls (WAF) with rules to detect XSS payloads in Mermaid diagram syntax
- Audit stored chat content for known XSS payload patterns, particularly in diagram definitions
Monitoring Recommendations
- Enable browser security headers reporting (CSP-Report-Only initially) to identify potential XSS execution attempts
- Configure alerts for unusual JavaScript error patterns or unexpected external resource loading from chat pages
- Monitor user session activity for anomalies following chat interactions, such as privilege escalation or bulk data access
- Review application audit logs for Mermaid diagram rendering errors or security exceptions
How to Mitigate CVE-2026-21866
Immediate Actions Required
- Upgrade Dify installations to version 1.11.2 or later immediately
- Review chat history for any suspicious Mermaid diagram content that may contain malicious payloads
- Force session invalidation for users who may have viewed potentially compromised chat conversations
- Implement Content Security Policy headers as a defense-in-depth measure
Patch Information
The vulnerability has been fixed in Dify version 1.11.2. The fix modifies the Mermaid configuration to use a more restrictive security level that prevents script execution through diagram rendering.
Technical details of the patch are available in the following resources:
- GitHub Commit ae17537470bba417a8971fff705dd82ecb043564 - Contains the actual code changes
- GitHub Pull Request #29811 - Discussion and review of the fix
- GitHub Security Advisory GHSA-qpv6-75c2-75h4 - Official vendor security advisory
Workarounds
- If immediate patching is not possible, modify the Mermaid configuration to use securityLevel: strict or securityLevel: sandbox in your Dify deployment
- Implement a web application firewall rule to filter Mermaid diagram content containing potential XSS payloads
- Temporarily disable Mermaid diagram rendering in chat interfaces until the patch can be applied
- Restrict chat functionality to trusted users only while awaiting the upgrade
# Configuration example - Update Mermaid security level in Dify configuration
# Locate your Dify configuration and ensure Mermaid uses strict security
# This is a temporary workaround until upgrading to version 1.11.2
# For Docker deployments, update environment variables:
export MERMAID_SECURITY_LEVEL=strict
# Alternatively, upgrade to the patched version:
docker pull langgenius/dify:1.11.2
docker-compose down && docker-compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
