CVE-2025-59422

Medium CVSS: 6.0

Dify is an open-source LLM app development platform. In version 1.8.1, a broken access control vulnerability on the /console/api/apps/<APP_ID>chat-messages?conversation_id=<CONVERSATION_ID>&limit=10 endpoint allows users in the same workspace to read chat messages of other users. A regular user is able to read the query data and the filename of the admins and probably other users chats, if they know the conversation_id. This impacts the confidentiality of chats. This issue has been patched in version 1.9.0.

Vendor

Langgenius

Product

Dify

CWE

CWE-284

Yayın Tarihi

2025-09-25 14:15:45

Güncelleme

2025-10-14 14:10:41

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-284 Dify MEDIUM Langgenius 2025

Referanslar

https://github.com/langgenius/dify/commit/b2d8a7eaf1693841411934e2056042845ab4f354 https://github.com/langgenius/dify/security/advisories/GHSA-jg5j-c9pq-w894 https://github.com/langgenius/dify/security/advisories/GHSA-jg5j-c9pq-w894

Benzer Kayıtlar

High

CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to th…

Critical

CVE-2025-56157

Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file inclu…

Critical

CVE-2025-63386

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup en…

Critical

CVE-2025-63388

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-f…

Medium

CVE-2025-11750

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning d…

Low

CVE-2025-58747

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable t…