Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Path Traversal in Dify Plugin Daemon Internal REST API

IdentifiersCVE-2026-41948CWE-22

CVE-2026-41948 is a path traversal vulnerability in Dify 1.14.1 and earlier affecting the Plugin Daemon, the internal service responsible for managing and running plugins. The flaw stems from insufficient URL path sanitization when attacker-controlled values are incorporated into requests forwarded to the Plugin Daemon’s internal REST API. Reported exploitation primitives include a GET-based vector using a manipulated filename parameter in a plugin icon request and a POST-based vector affecting task deletion, including use of unencoded dot-segments in task identifiers. By traversing outside the intended tenant-scoped path, an attacker can reach internal or private Plugin Daemon endpoints, including debug-style interfaces, and potentially interact with arbitrary daemon API endpoints outside their authorized scope. Available reporting is somewhat inconsistent on whether authentication is always required, but the primary description states authenticated users can exploit the issue; in Dify Cloud, free self-registration makes obtaining an account trivial.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthorized access to internal Plugin Daemon REST API endpoints outside the attacker’s authorized tenant scope. Reported impacts include cross-tenant access to exposed daemon functionality, retrieval of other tenants’ plugin icons, access to internal/private endpoints such as debug or pprof-style interfaces, and the ability to affect other tenants’ environments depending on reachable endpoints. Because the flaw exposes arbitrary internal API paths via both GET and POST request manipulation, the practical impact depends on what Plugin Daemon endpoints are present and exposed in the deployed version, making this an architectural boundary-break issue with potential for broader abuse as the daemon evolves.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, deploy targeted WAF rules to block traversal patterns and malformed path segments in Plugin Daemon-related GET and POST requests, especially unencoded dot-segments and suspicious filename/task identifier values. Restrict exposure of Plugin Daemon-reachable interfaces through network segmentation and reverse-proxy policy, disable or tightly control self-registration where feasible, monitor logs for traversal attempts against plugin icon and task deletion endpoints, and limit Dify access to trusted users until the patched release is deployed.

Remediation

Patch, then assume compromise.

Upgrade Dify to a vendor-fixed release newer than 1.14.1. The provided content states Dify 1.14.2 addressed the disclosed vulnerabilities in some reporting, while other reporting says the fix for CVE-2026-41948 was merged for a subsequent release; therefore operators should deploy the latest upstream version containing the specific CVE-2026-41948 patch rather than relying solely on 1.14.2 without verification. Validate that the fix normalizes and rejects traversal sequences in all Plugin Daemon request construction paths, including filename parameters and task identifiers, and enforces tenant/authorization checks on internal daemon endpoints.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
DifyDifyapplication
LanggeniusDifyapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
scworldNews
Jun 23, 2026
4 vulnerabilities in Dify expose cross-tenant data | brief | SC Media

A critical unauthenticated vulnerability in Dify's Plugin Daemon that allows access to arbitrary endpoints via path traversal or direct API manipulation.

Read more
security affairsNews
Jun 23, 2026
DifyTap: Four Bugs Put over 1 million AI Apps at Risk - Security Affairs

A critical vulnerability in Dify’s Plugin Daemon that allows unauthenticated access to arbitrary internal endpoints via GET and POST primitives, including path traversal through plugin-related requests.

Read more
security weekNews
Jun 23, 2026
Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps - SecurityWeek

A critical vulnerability in Dify’s plugin daemon that enables arbitrary internal API access via GET and POST requests and can be abused for path traversal and cross-tenant impact.

Read more
cyber security newsNews
Jun 23, 2026
DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants - 1M+ Apps Impacted

A critical unauthenticated path traversal vulnerability in Dify Plugin Daemon that can expose internal APIs.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity12

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-41948
NVD
nvd.nist.gov/vuln/detail/CVE-2026-41948
MITRE CWE · CWE-22
cwe.mitre.org
Patch
github.com/langgenius/dify/pull/35796
Third Party Advisory
huntr.com/bounties/35b7ad59-e35d-443f-bf77-387bfb932ec0
Third Party Advisory
vulncheck.com/advisories/dify-path-traversal-via-plugin-daemon-internal-api-access