CVE-2026-41948 CRITICAL

CVE-2026-41948: Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access

Vendor Langgenius

Product dify

Weakness CWE-23

Published May 18, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.

Key dates

02Disclosure timeline

May 18, 2026 CVE published

May 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41948

Related vulnerabilities

CVE-2026-41948: Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access

01Description

02Disclosure timeline

03References

04Related CVE