Vulnerability Description
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dify | Dify | <= 1.14.1 |
Related Weaknesses (CWE)
References
- https://github.com/langgenius/dify/pull/35797Issue TrackingPatchMitigation
- https://huntr.com/bounties/d50a0240-7951-4939-b989-9bded66c7682ExploitThird Party Advisory
- https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-preview-Third Party Advisory
FAQ
What is CVE-2026-41949?
CVE-2026-41949 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document acro...
How severe is CVE-2026-41949?
CVE-2026-41949 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41949?
Check the references section above for vendor advisories and patch information. Affected products include: Dify Dify.