CVE-2026-41948

Name of the Vulnerable Software and Affected Versions Dify versions prior to 1.14.2

Description Insufficient URL path sanitization allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API. By using unencoded dot sequences in task identifiers or manipulated filename parameters, attackers can perform path traversal to exit their authorized tenant path. This enables access to internal endpoints, such as debug interfaces, provided the attacker knows the victim tenant's UUID. Dify Cloud facilitates this by allowing unauthenticated free self-registration.

Recommendations Update to a version later than 1.14.1.