Executive Summary

CVE-2026-41947 is an authorization bypass vulnerability in Dify version 1.14.1 and earlier. It allows authenticated editor users to manipulate trace configuration endpoints without proper tenant ownership checks.

This flaw enables attackers to set and enable trace configurations for any application, regardless of tenant ownership, which means they can redirect all messages and responses from victim applications to attacker-controlled large language model (LLM) trace providers.

The vulnerability is worsened by Dify Cloud's unauthenticated free self-registration, making it easy for attackers to create accounts and exploit this issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts as it allows attackers to redirect all messages and responses from victim applications to attacker-controlled endpoints.

Such redirection can lead to exfiltration of sensitive data, including prompts and outputs from applications, potentially compromising confidentiality and integrity of data.

Because attackers can manipulate trace configurations across tenants, this can lead to unauthorized access and data leakage between different tenant environments.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking whether unauthorized tenant access to trace configuration endpoints is possible. Specifically, attempts to access or modify trace configurations for applications outside the authenticated user's tenant should be tested.

You can try sending HTTP requests to the /console/api/apps/<app_id>/trace-config endpoints (GET, POST, PATCH, DELETE) using an authenticated editor user account to see if you can access or modify trace configurations of applications not owned by your tenant.

Example commands using curl to test unauthorized access might include:

• curl -X GET -H "Authorization: Bearer <editor_token>" https://<dify_host>/console/api/apps/<other_tenant_app_id>/trace-config
• curl -X PATCH -H "Authorization: Bearer <editor_token>" -H "Content-Type: application/json" -d '{"enabled":true,"provider":"attacker-controlled-llm"}' https://<dify_host>/console/api/apps/<other_tenant_app_id>/trace-config

If these requests succeed in accessing or modifying trace configurations of applications outside your tenant, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the available patch that enforces tenant ownership checks on the trace configuration endpoints.

The patch introduces tenant verification by applying the @get_app_model decorator to the affected endpoints, ensuring only applications within the caller's tenant can be accessed or modified.

If patching is not immediately possible, consider restricting access to the trace configuration endpoints to trusted users only and monitoring for suspicious activity involving trace configuration changes.

Additionally, since Dify Cloud allows unauthenticated free self-registration, consider implementing stricter account creation controls or monitoring new accounts for suspicious behavior.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to bypass authorization controls and redirect sensitive application messages and responses to attacker-controlled endpoints. This could lead to unauthorized access and potential exfiltration of sensitive data.

Such unauthorized access and data exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized disclosure.

Because the vulnerability enables cross-tenant data access and manipulation, it undermines tenant isolation and data confidentiality, key requirements in many compliance frameworks.

Useful 0 Not Useful 0