CVE-2025-11750

Name of the Vulnerable Software and Affected Versions langgenius/dify-web version 1.6.0

Description The authentication process in the software reveals whether user accounts exist by providing different error messages depending on whether a username or email is registered. Attempting to log in or register with a non-existent account results in an error message like "account not found," while a valid account with an incorrect password returns a different message. This allows attackers to enumerate valid user accounts by analyzing the error responses, potentially enabling targeted social engineering, brute force, or credential stuffing attacks. The API endpoint involved in this issue is the login API. The username or email parameters are used to identify accounts.

Recommendations For langgenius/dify-web version 1.6.0, ensure that the error messages returned during authentication do not differentiate between non-existent and existing accounts. Implement a consistent error message for invalid login attempts to prevent user enumeration.