CVE-2025-67732
Unknown Unknown - Not Provided
Plaintext API Key Exposure in Dify Enables Unauthorized Access

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67732
EUVD
EUVD-2025-206235
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor dify to 1.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Upgrade Dify to version 1.11.0 or later, as this version fixes the issue of the API key being exposed in plaintext to the frontend. Until the upgrade, restrict access to the frontend to trusted users only to prevent unauthorized viewing and reuse of the API key.

Impact Analysis

This vulnerability can lead to unauthorized access to third-party services by non-administrator users. Such unauthorized use can consume limited quotas associated with the API key, potentially leading to service disruptions or unexpected costs.

Executive Summary

The vulnerability in Dify prior to version 1.11.0 involves the API key being exposed in plaintext to the frontend. This means that non-administrator users can view and reuse the API key, which should normally be kept secret. This exposure allows unauthorized users to access third-party services using the API key.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67732. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart