CVE-2025-67732

High CVSS: 8.4

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue.

Vendor

Dify

Product

Dify

CWE

CWE-200

Yayın Tarihi

2026-01-05 22:15:51

Güncelleme

2026-01-12 18:20:15

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-200 Dify HIGH Dify 2026

Referanslar

https://github.com/langgenius/dify/security/advisories/GHSA-phpv-94hg-fv9g

Benzer Kayıtlar

Medium

CVE-2026-21866

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rend…

Medium

CVE-2026-28288

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-exi…

Medium

CVE-2026-26023

Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been foun…

Medium

CVE-2025-56520

Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_…

High

CVE-2025-0185

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in…

High

CVE-2024-11822

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due…