Executive Summary

CVE-2026-28288 is a user enumeration vulnerability in the Dify platform versions up to 1.8.1. The vulnerability occurs because the Dify API returns different responses when login attempts are made with existing versus non-existent email addresses.

Specifically, when a POST request is sent to the /console/api/login endpoint with a valid email but incorrect password, the response differs from the response when an invalid email and password are used. This difference allows an attacker to determine which email addresses are registered with Dify.

This behavior is classified under CWE-204 (Observable Response Discrepancy), where the system reveals internal state information through differing responses to unauthorized requests.

The vulnerability was fixed in version 1.9.0 by standardizing authentication error messages to prevent attackers from distinguishing between valid and invalid accounts.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows attackers to enumerate valid email addresses registered with the Dify platform by analyzing the differences in API responses.'}, {'type': 'paragraph', 'content': 'With knowledge of valid email addresses, attackers can launch targeted phishing campaigns or attempt brute-force attacks on user accounts.'}, {'type': 'paragraph', 'content': "However, the overall risk is somewhat mitigated by Dify's brute-force protection mechanisms."}] [1, 2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing the responses from the Dify API when attempting to log in with different email addresses. Specifically, sending POST requests to the `/console/api/login` endpoint with various email addresses and passwords will yield distinguishable responses if the email exists or not.'}, {'type': 'paragraph', 'content': 'For example, you can use the following curl commands to test for user enumeration:'}, {'type': 'list_item', 'content': 'curl -X POST https://<dify-server>/console/api/login -d \'{"email":"[email protected]", "password":"wrongpassword"}\' -H \'Content-Type: application/json\''}, {'type': 'list_item', 'content': 'curl -X POST https://<dify-server>/console/api/login -d \'{"email":"[email protected]", "password":"wrongpassword"}\' -H \'Content-Type: application/json\''}, {'type': 'paragraph', 'content': 'If the responses differ (e.g., one indicates "wrong password" and the other "user not found"), it confirms the presence of the vulnerability allowing user enumeration.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade the Dify platform to version 1.9.0 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'The fix involves standardizing authentication error messages across login, registration, and password reset endpoints to prevent user enumeration. This includes:'}, {'type': 'list_item', 'content': 'Returning a generic error message such as "Invalid email or password" for all login attempts regardless of account existence.'}, {'type': 'list_item', 'content': 'Ensuring password reset requests always return a success message to avoid disclosing account existence.'}, {'type': 'list_item', 'content': 'Adjusting email verification processes to prevent leaking information about registered accounts.'}, {'type': 'paragraph', 'content': 'Additionally, verify that brute-force protection mechanisms are enabled to reduce the risk of brute-force attacks exploiting this vulnerability.'}] [1, 2]

Useful 0 Not Useful 0