CVE-2026-41947 Overview
CVE-2026-41947 is an authorization bypass vulnerability in Dify version 1.14.1 and prior. The flaw resides in the trace configuration endpoints, which fail to verify tenant ownership before allowing authenticated editor users to modify trace settings. Attackers can enable and configure trace providers for any application across tenant boundaries, redirecting all messages and model responses from victim applications to attacker-controlled large language model (LLM) trace providers. The exposure is amplified on Dify Cloud, where unauthenticated free self-registration permits any attacker to obtain a valid account. The issue is tracked as [CWE-639] Authorization Bypass Through User-Controlled Key.
Critical Impact
Authenticated attackers can exfiltrate every prompt, response, and conversation flowing through any tenant's Dify applications by hijacking trace configuration.
Affected Products
- Dify version 1.14.1
- All Dify versions prior to 1.14.1
- Dify Cloud (multi-tenant SaaS deployment)
Discovery Timeline
- 2026-05-18 - CVE-2026-41947 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-41947
Vulnerability Analysis
Dify is an open-source LLM application development platform supporting multi-tenant deployments. The platform integrates with external observability providers, known as trace providers, to capture prompts, completions, and model interactions for debugging and analytics. Trace configuration endpoints control which provider receives this telemetry and the credentials used for transmission.
In affected versions, these endpoints validate that the caller holds the editor role but do not verify that the targeted application belongs to the caller's tenant. An authenticated user in tenant A can submit requests referencing an application identifier owned by tenant B and successfully write a new trace configuration to that application. Once enabled, all subsequent interactions on the victim application are mirrored to the attacker-supplied trace endpoint, exposing user prompts, model outputs, system instructions, and embedded secrets.
Root Cause
The root cause is a missing tenant ownership check within the trace configuration handlers. The authorization layer enforces role-based access control but treats the application identifier supplied by the client as trusted. Because Dify Cloud permits free self-registration, the attacker pre-condition of holding an authenticated editor session is trivial to satisfy.
Attack Vector
The attack is performed over the network against the Dify API. An attacker registers an account, obtains an editor role within their own workspace, and then issues authenticated HTTP requests to the trace configuration endpoints supplying the victim application's identifier together with an attacker-controlled provider URL and API key. After the configuration is enabled, the attacker passively collects all telemetry forwarded by the victim application. No interaction from the victim tenant is required.
No public proof-of-concept code or exploitation tooling has been released for this issue. Refer to the Vulncheck Advisory on Dify and the Huntr Bounty Listing for technical details.
Detection Methods for CVE-2026-41947
Indicators of Compromise
- Trace configuration records referencing application identifiers whose tenant_id does not match the configuring user's tenant.
- Outbound HTTPS traffic from Dify worker processes to unrecognized LLM observability domains such as unfamiliar Langfuse, LangSmith, or Opik endpoints.
- Recent editor account registrations on Dify Cloud followed by API calls to trace configuration endpoints for applications they did not create.
Detection Strategies
- Audit the Dify database for trace configuration rows and cross-reference the configuring user's tenant against the owning application's tenant. Any mismatch indicates exploitation.
- Review API access logs for requests to trace configuration endpoints where the authenticated user's tenant differs from the target application's tenant.
- Inspect application telemetry settings for provider URLs pointing to domains outside the organization's approved observability stack.
Monitoring Recommendations
- Enable egress monitoring on Dify hosts and alert on connections to newly observed external API endpoints.
- Log every change to trace configuration with the acting user, tenant, target application, and new provider endpoint, then forward these events to a centralized SIEM for correlation.
- Establish baseline behavior for trace provider domains and alert when new providers are introduced.
How to Mitigate CVE-2026-41947
Immediate Actions Required
- Upgrade Dify to a version that includes the fix from Dify Pull Request #35793 without delay.
- Enumerate every trace configuration in the deployment and remove or reset entries whose configuring user does not belong to the owning application's tenant.
- Rotate API keys and credentials that may have been exposed through trace data forwarded to unauthorized providers.
Patch Information
The vendor fix is delivered in Dify Pull Request #35793, which adds tenant ownership validation to the trace configuration endpoints. Self-hosted operators should pull the patched release and redeploy. Dify Cloud customers receive the fix through the managed service update.
Workarounds
- Restrict creation of editor role accounts and disable open self-registration on self-hosted instances until the patch is applied.
- Place the Dify API behind an authenticating reverse proxy that blocks trace configuration endpoints for non-administrative users as a temporary control.
- Use network egress policies to allow-list only approved trace provider domains from Dify worker hosts, neutralizing redirection to attacker infrastructure.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
