PT-2025-39373 · Dify · Dify
Published
2025-09-25
·
Updated
2025-09-25
·
CVE-2025-59422
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Dify version 1.8.1
Description
A broken access control issue exists in Dify version 1.8.1. This allows users within the same workspace to read chat messages belonging to other users. The issue is present on the
/console/api/apps/APP IDchat-messages?conversation id=CONVERSATION ID&limit=10 API endpoint. A regular user can access query data and filenames from other users' chats, provided they know the conversation id. This compromises the confidentiality of chat data.Recommendations
Update to version 1.9.0 or later.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dify