CVE-2025-32796

Name of the Vulnerable Software and Affected Versions Dify versions prior to 0.6.12

Description A vulnerability was identified in Dify, an open-source LLM app development platform, where normal users can enable or disable apps through the API, despite not being permitted to make such changes. This access control flaw allows non-admin users to make unauthorized changes, disrupting the functionality and availability of the apps.

Recommendations For versions prior to 0.6.12, update to version 0.6.12 to resolve the issue. As a temporary workaround, consider updating the API access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can send enable or disable requests for apps.