Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants

Cybersecurity researchers have disclosed details of four vulnerabilities in Dify, an open-source agentic workflow platform with more than 146,000 GitHub stars, that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers' applications without requiring authentication. The vulnerabilities have been collectively codenamed DifyTap by Zafran Security.

According to Zafran Security and The Hacker News, the DifyTap vulnerabilities in the Dify agentic workflow platform enable cross-tenant exposure of private AI chats and documents, including unauthenticated reading of other customers’ AI conversations and file previews across tenants.[1][2][3] Multiple CVEs (including CVE-2026-41947, -41948, -41949, -41950) reflect broken authorization and path traversal issues that allow attackers to access internal plugin APIs and exfiltrate sensitive content from multi-tenant cloud deployments.[1][3] From a CyberSE.AI perspective, this represents a high-impact data leakage and AI supply chain risk for any organization consuming Dify as an AI orchestration component, requiring rapid patching, tenant isolation review, and hardened access controls around AI workflows. Practical mitigations include upgrading to fixed versions, implementing WAF and red-teaming aimed specifically at cross-tenant data exposure paths, and incorporating Dify deployment configurations into SBOM-driven supply chain security assessments.[1][3]