PT-2026-33730 · Langgenius · Dify
Eric-G
·
Published
2026-04-20
·
Updated
2026-04-20
·
CVE-2026-6617
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Langgenius Dify versions prior to 0.7.0
Description
A server-side request forgery exists in the ApiToolManageService component. The issue occurs within the
get api tool provider remote schema() function located in the 'api/services/tools/api tools manage service.py' file. A remote attacker can trigger this by manipulating the url argument.Recommendations
Update to a version newer than 0.6.9.
As a temporary workaround, restrict access to the
get api tool provider remote schema() function until the update is applied.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dify