CVE-2026-41950 Overview
CVE-2026-41950 is an authorization bypass vulnerability in Dify, an open-source large language model (LLM) application development platform. Versions prior to 1.14.0 fail to validate file ownership in the chat-messages endpoints. Authenticated users within the same tenant can supply an arbitrary file UUID in the files array of a chat-messages request and retrieve the contents of files owned by other users. The flaw bypasses workspace separation and signed URL protections, exposing sensitive file contents through workflow processing. The weakness is classified as [CWE-639] Authorization Bypass Through User-Controlled Key.
Critical Impact
Authenticated tenant users can read arbitrary files uploaded by other users by referencing the target file UUID in chat-messages requests, breaking tenant-internal data isolation.
Affected Products
- Dify versions prior to 1.14.0
- Self-hosted Dify deployments
- Multi-tenant Dify workspaces sharing user access
Discovery Timeline
- 2026-05-05 - CVE-2026-41950 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-41950
Vulnerability Analysis
The vulnerability exists in Dify's chat-messages endpoints, which accept a files array referencing previously uploaded file UUIDs. The endpoint resolves each UUID to its underlying file object and feeds the contents into the workflow engine for LLM processing. Permission checks confirm only that the requester is authenticated within the tenant. The handler does not verify that the requesting user owns or has been granted access to the referenced file.
An attacker with a low-privileged tenant account can enumerate or guess file UUIDs and submit them through a crafted chat-messages request. The workflow processing path returns file contents in the model response or echoes them through downstream nodes, leaking sensitive documents uploaded by other tenant users.
Root Cause
The root cause is missing ownership validation on file references passed through the files parameter. Dify relies on signed URLs at the upload boundary but trusts the UUID once the file exists in storage. The chat-messages controller resolves UUIDs directly without cross-checking the file's owner against the authenticated session, breaking the workspace separation model.
Attack Vector
Exploitation requires network access to the Dify API and a valid authenticated session within the target tenant. The attacker issues a POST request to a chat-messages endpoint with a crafted JSON body containing a target file UUID in the files array. The workflow processes the file and returns its contents, allowing the attacker to exfiltrate data without modifying or deleting the original file. Confidentiality is impacted while integrity and availability remain intact.
No public proof-of-concept code has been confirmed by the vendor. Technical details are available in the Huntr Bounty Report and the VulnCheck Advisory.
Detection Methods for CVE-2026-41950
Indicators of Compromise
- Chat-messages API requests containing files arrays with UUIDs not previously uploaded by the requesting user session.
- Anomalous spikes in workflow execution responses returning large file contents to low-privileged accounts.
- Repeated 200 OK responses from /v1/chat-messages or /console/api/apps/*/chat-messages paired with UUID enumeration patterns.
Detection Strategies
- Correlate Dify application logs to match each file_id referenced in chat-messages requests against the created_by field of the file record.
- Alert when a single user references file UUIDs owned by more than a configurable number of distinct other users within a short window.
- Inspect reverse proxy logs for high-volume POST traffic to chat-messages endpoints with varying UUID payloads from the same session token.
Monitoring Recommendations
- Enable verbose audit logging on the Dify API gateway and forward logs to a centralized SIEM for retention and correlation.
- Track per-tenant baselines for file access volume and flag deviations indicative of UUID enumeration.
- Monitor outbound responses from workflow nodes for unexpected file content disclosure to non-owner accounts.
How to Mitigate CVE-2026-41950
Immediate Actions Required
- Upgrade Dify to version 1.14.0 or later, which adds ownership validation on file references in chat-messages requests.
- Review tenant membership and revoke unnecessary user accounts to reduce the population of accounts able to exploit the bypass.
- Audit historical chat-messages logs for cross-user file UUID references and assess potential data exposure.
Patch Information
The vendor released the fix in Dify 1.14.0. See the GitHub Release 1.14.0 notes for upgrade instructions and the full changelog. Self-hosted operators should rebuild containers from the patched tag and verify that the chat-messages controller now enforces file ownership checks.
Workarounds
- Restrict tenant access to trusted users only until the patch is applied, since exploitation requires authenticated tenant access.
- Place the Dify API behind a web application firewall and rate-limit chat-messages endpoints to slow UUID enumeration.
- Disable file upload features for sensitive workspaces if upgrading immediately is not feasible.
# Upgrade self-hosted Dify deployment to the patched release
git fetch --tags
git checkout 1.14.0
docker compose -f docker/docker-compose.yaml pull
docker compose -f docker/docker-compose.yaml up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
