CVE-2026-34082
Received Received - Intake

Authorization Bypass in Dify Allows Unauthorized Chat Deletion

Vulnerability report for CVE-2026-34082, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-20

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description

Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-20
Last Modified
2026-04-23
Generated
2026-07-06
AI Q&A
2026-04-21
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dify dify to 1.13.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring and testing the DELETE API endpoint `/console/api/installed-apps/<appId>/conversations/<conversationId>` for improper authorization checks.

A practical approach involves capturing conversation IDs from GET requests to `/console/api/installed-apps/<appId>/conversations` and then attempting to issue DELETE requests to the same endpoint using those IDs while authenticated as different users.

If a user can delete conversations that do not belong to them, the system is vulnerable.

Suggested commands using curl for detection might be:

  • 1. Authenticate as User A and list conversations: `curl -H "Authorization: Bearer <tokenA>" https://<dify-host>/console/api/installed-apps/<appId>/conversations`
  • 2. Extract a conversationId from the response belonging to User A.
  • 3. Authenticate as User B and attempt to delete User A's conversation: `curl -X DELETE -H "Authorization: Bearer <tokenB>" https://<dify-host>/console/api/installed-apps/<appId>/conversations/<conversationId>`

If the DELETE request succeeds, the vulnerability is present.

Executive Summary

This vulnerability exists in the Dify open-source LLM app development platform prior to version 1.13.1. The issue is in the DELETE API endpoint for removing conversations associated with installed apps. Specifically, the method DELETE /console/api/installed-apps/<appId>/conversations/<conversationId> has poor authorization checks, which means any user authenticated with Dify can delete chat histories belonging to other users.

Impact Analysis

The vulnerability allows any authenticated user to delete chat histories of other users without proper authorization. This can lead to loss of important conversation data, potential disruption of services relying on chat history, and unauthorized modification or deletion of user data.

Mitigation Strategies

To mitigate this vulnerability, upgrade Dify to version 1.13.1 or later, as this version patches the authorization issue allowing unauthorized deletion of chat history.

Compliance Impact

The vulnerability allows any authenticated user to delete another user's chat history due to poor authorization checks. This could lead to unauthorized data modification or loss, which may impact compliance with data protection regulations such as GDPR or HIPAA that require strict controls over access and modification of personal or sensitive data.

Specifically, the ability for users to delete others' chat histories without proper authorization could violate principles of data integrity and accountability mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart