CVE-2025-67732
Plaintext API Key Exposure in Dify Enables Unauthorized Access
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | dify | to 1.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade Dify to version 1.11.0 or later, as this version fixes the issue of the API key being exposed in plaintext to the frontend. Until the upgrade, restrict access to the frontend to trusted users only to prevent unauthorized viewing and reuse of the API key.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to third-party services by non-administrator users. Such unauthorized use can consume limited quotas associated with the API key, potentially leading to service disruptions or unexpected costs.
Can you explain this vulnerability to me?
The vulnerability in Dify prior to version 1.11.0 involves the API key being exposed in plaintext to the frontend. This means that non-administrator users can view and reuse the API key, which should normally be kept secret. This exposure allows unauthorized users to access third-party services using the API key.