CVE-2026-34082
Received Received - Intake
Authorization Bypass in Dify Allows Unauthorized Chat Deletion

Publication date: 2026-04-20

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34082
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dify dify to 1.13.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Dify open-source LLM app development platform prior to version 1.13.1. The issue is in the DELETE API endpoint for removing conversations associated with installed apps. Specifically, the method DELETE /console/api/installed-apps/<appId>/conversations/<conversationId> has poor authorization checks, which means any user authenticated with Dify can delete chat histories belonging to other users.

Impact Analysis

The vulnerability allows any authenticated user to delete chat histories of other users without proper authorization. This can lead to loss of important conversation data, potential disruption of services relying on chat history, and unauthorized modification or deletion of user data.

Mitigation Strategies

To mitigate this vulnerability, upgrade Dify to version 1.13.1 or later, as this version patches the authorization issue allowing unauthorized deletion of chat history.

Detection Guidance

This vulnerability can be detected by monitoring and testing the DELETE API endpoint `/console/api/installed-apps/<appId>/conversations/<conversationId>` for improper authorization checks.

A practical approach involves capturing conversation IDs from GET requests to `/console/api/installed-apps/<appId>/conversations` and then attempting to issue DELETE requests to the same endpoint using those IDs while authenticated as different users.

If a user can delete conversations that do not belong to them, the system is vulnerable.

Suggested commands using curl for detection might be:

  • 1. Authenticate as User A and list conversations: `curl -H "Authorization: Bearer <tokenA>" https://<dify-host>/console/api/installed-apps/<appId>/conversations`
  • 2. Extract a conversationId from the response belonging to User A.
  • 3. Authenticate as User B and attempt to delete User A's conversation: `curl -X DELETE -H "Authorization: Bearer <tokenB>" https://<dify-host>/console/api/installed-apps/<appId>/conversations/<conversationId>`

If the DELETE request succeeds, the vulnerability is present.

Compliance Impact

The vulnerability allows any authenticated user to delete another user's chat history due to poor authorization checks. This could lead to unauthorized data modification or loss, which may impact compliance with data protection regulations such as GDPR or HIPAA that require strict controls over access and modification of personal or sensitive data.

Specifically, the ability for users to delete others' chat histories without proper authorization could violate principles of data integrity and accountability mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart