Cybersecurity researchers have disclosed details of four vulnerabilities collectively named DifyTap in Dify, a widely-adopted open-source agentic AI workflow platform boasting over 146,000 GitHub stars. The flaws could allow attackers to silently read AI conversations belonging to other customers' applications in multi-tenant deployments — without requiring any authentication.
What is Dify
Dify is an open-source platform for building, deploying, and managing LLM-powered applications and agentic workflows. It supports integration with providers including OpenAI, Anthropic, and others, and enables teams to construct RAG pipelines, chatbots, and autonomous agent systems with a visual interface. Its popularity in enterprise AI deployments makes the DifyTap disclosure particularly significant.
The DifyTap Vulnerabilities
The four vulnerabilities chain together to enable cross-tenant AI conversation theft:
Flaw 1: Tenant Isolation Bypass
A logic error in Dify's workspace permission model allows requests from one tenant context to query conversation data belonging to a separate tenant. The isolation boundary between workspaces is enforced inconsistently, with certain API endpoints failing to validate that the requesting user belongs to the workspace owning the target conversation.
Flaw 2: Conversation ID Enumeration
Conversation identifiers are predictable or insufficiently randomized, enabling an attacker to enumerate valid conversation IDs belonging to other workspaces through brute-force or pattern analysis.
Flaw 3: Unauthenticated Message Retrieval
Specific API endpoints that return conversation message history lack authentication requirements, allowing anyone with a valid conversation ID to retrieve the full message history of that conversation — including any sensitive information shared with the AI.
Flaw 4: Server-Side Request Forgery (SSRF) in Workflow Execution
A SSRF vulnerability in Dify's workflow node execution allows an attacker to pivot the server into making requests to internal network resources, including cloud metadata endpoints, which can expose credentials and expand the attack surface.
Real-World Impact
In multi-tenant Dify deployments — such as managed instances or shared enterprise platforms — successful exploitation of DifyTap could allow:
- AI conversation theft: Reading confidential prompts, responses, and document contents uploaded to another tenant's AI application
- Intellectual property exposure: Accessing proprietary workflows, system prompts, and RAG document chunks
- Credential harvesting via SSRF: Pivoting to cloud metadata services to steal IAM credentials
- Competitive intelligence gathering: Extracting business-sensitive AI application designs from co-tenant organizations
Affected Versions and Patch Status
The vulnerabilities were responsibly disclosed to the Dify maintainers. Organizations running self-hosted Dify instances should review the project's GitHub releases for patched versions and apply updates immediately.
Recommendations
- Update Dify immediately to the latest patched release
- Audit tenant isolation in your Dify deployment configuration
- Rotate API keys and credentials exposed to the Dify environment
- Review network egress rules to limit SSRF impact from workflow execution nodes
- Monitor API logs for anomalous cross-workspace access patterns
Broader AI Platform Security Concerns
DifyTap is a timely reminder that AI platforms handling sensitive enterprise data require the same rigorous security review applied to any multi-tenant SaaS product. As organizations increasingly route confidential information through AI workflows, tenant isolation failures in platforms like Dify represent a novel but high-impact attack surface. Security teams evaluating AI infrastructure should include multi-tenancy isolation testing as a core requirement in vendor assessments.