CVE-2024-11821

Name of the Vulnerable Software and Affected Versions langgenius/dify version 0.9.1

Description A privilege escalation issue exists, allowing a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The problem arises because the application does not properly enforce access controls on the endpoint "/console/api/apps/{chatbot-id}/model-config", allowing unauthorized users to alter chatbot configurations.

Recommendations For version 0.9.1, consider restricting access to the "/console/api/apps/{chatbot-id}/model-config" endpoint until a patch is available. As a temporary workaround, limit the ability of normal users to modify Orchestrate instructions for chatbots created by admin users.