CVE-2026-28288

Medium CVSS: 5.5

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.

Vendor

Dify

Product

Dify

CWE

CWE-204

Yayın Tarihi

2026-02-27 21:16:18

Güncelleme

2026-03-09 20:23:10

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-204 Dify MEDIUM Dify 2026

Referanslar

https://github.com/langgenius/dify/issues/24323 https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx

Benzer Kayıtlar

Medium

CVE-2026-21866

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rend…

Medium

CVE-2026-26023

Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been foun…

High

CVE-2025-67732

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the…

Medium

CVE-2025-56520

Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_…

High

CVE-2025-0185

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in…

High

CVE-2024-11822

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due…