CVE-2026-41949

Name of the Vulnerable Software and Affected Versions Dify versions prior to 1.14.1

Description An authorization bypass exists in the file preview endpoint, allowing any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces. An attacker can use an intercepted file UUID to access the "/console/api/files/{file id}/preview" endpoint and extract sensitive content without ownership or workspace permission verification. Dify Cloud facilitates this by allowing unauthenticated free self-registration, making account creation easily accessible.

Recommendations Update to a version later than 1.14.1. As a temporary workaround, restrict access to the "/console/api/files/{file id}/preview" endpoint to minimize the risk of unauthorized document access.