Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalPublic exploit

Path Traversal in Dify Plugin Daemon Internal REST API

IdentifiersCVE-2026-41948CWE-22

CVE-2026-41948 is a path traversal vulnerability in Dify 1.14.1 and earlier affecting the Plugin Daemon, the internal service responsible for managing and running plugins. The flaw stems from insufficient URL path sanitization when attacker-controlled values are incorporated into requests forwarded to the Plugin Daemon’s internal REST API. Reported exploitation primitives include a GET-based vector using a manipulated filename parameter in a plugin icon request and a POST-based vector involving task deletion with crafted task identifiers containing unencoded dot sequences. By traversing outside the intended tenant-scoped path, an attacker can reach internal or private Plugin Daemon endpoints, including debug-style interfaces such as pprof, and potentially interact with arbitrary daemon API endpoints across tenant boundaries. The provided reporting is somewhat inconsistent on authentication requirements: some sources describe the vulnerable endpoints as requiring no authentication, while others characterize exploitation as available to authenticated users; however, Dify Cloud’s free self-registration materially lowers the barrier either way.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthorized access to internal Plugin Daemon API endpoints outside the attacker’s authorized tenant scope. Documented impacts include cross-tenant access to exposed daemon functionality, retrieval of other tenants’ plugin assets such as icons, and access to internal debug/performance endpoints. Because the flaw enables arbitrary endpoint access within the Plugin Daemon via crafted GET and POST requests, it creates a broader architectural risk: any sensitive current or future daemon endpoint exposed behind the same forwarding logic could become reachable, potentially affecting other tenants’ environments and exposing internal operational data.

Mitigation

If you can’t patch tonight, do this now.

Until a fully patched version is deployed, implement targeted WAF rules to block traversal patterns, including encoded and unencoded dot-segment sequences, in Plugin Daemon-related GET and POST requests, especially filename parameters and task identifiers. Restrict network exposure to Plugin Daemon-reachable paths, limit access to trusted users, disable or tightly control self-registration where feasible, and monitor logs for anomalous requests attempting path manipulation or access to debug/pprof-style endpoints. Additional compensating controls include segmentation to prevent unintended access to internal daemon interfaces and alerting on cross-tenant resource access patterns.

Remediation

Patch, then assume compromise.

Upgrade Dify to a vendor-fixed release. The supplied content states that Dify 1.14.2 addressed the disclosed vulnerabilities in general, but also notes that a specific fix for CVE-2026-41948 was merged separately and expected in a subsequent release; therefore, operators should deploy the latest upstream version containing the dedicated patch for CVE-2026-41948 rather than assuming 1.14.2 alone fully remediates this issue. Validate that the fix normalizes and rejects traversal sequences in all forwarded URL path components and parameters, and enforces tenant-bound authorization before proxying requests to Plugin Daemon endpoints.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
DifyDifyapplication
LanggeniusDifyapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
scworldNews
Jun 23, 2026
4 vulnerabilities in Dify expose cross-tenant data | brief | SC Media

A critical unauthenticated vulnerability in Dify's Plugin Daemon that allows access to arbitrary endpoints via path traversal or direct API manipulation.

Read more
security affairsNews
Jun 23, 2026
DifyTap: Four Bugs Put over 1 million AI Apps at Risk - Security Affairs

A critical vulnerability in Dify’s Plugin Daemon that allows unauthenticated access to arbitrary internal endpoints via GET and POST primitives, including path traversal through plugin-related requests.

Read more
security weekNews
Jun 23, 2026
Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps - SecurityWeek

A critical vulnerability in Dify’s plugin daemon that enables arbitrary internal API access via GET and POST requests and can be abused for path traversal and cross-tenant impact.

Read more
cyber security newsNews
Jun 23, 2026
DifyTap Flaws Allow Attackers to Wiretap AI Data Across Tenants - 1M+ Apps Impacted

A critical unauthenticated path traversal vulnerability in Dify Plugin Daemon that can expose internal APIs.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity12

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-41948
NVD
nvd.nist.gov/vuln/detail/CVE-2026-41948
MITRE CWE · CWE-22
cwe.mitre.org
Patch
github.com/langgenius/dify/pull/35796
Third Party Advisory
huntr.com/bounties/35b7ad59-e35d-443f-bf77-387bfb932ec0
Third Party Advisory
vulncheck.com/advisories/dify-path-traversal-via-plugin-daemon-internal-api-access