Security researchers have disclosed a set of data exposure vulnerabilities in Dify, a popular open-source AI application development platform used to power more than one million applications globally. The flaws, found in Dify's multi-tenant cloud service, allowed malicious tenants to cross isolation boundaries and read private conversations, preview other tenants' uploaded documents, and interact with internal APIs that should be inaccessible from the outside.
What is Dify?
Dify is an open-source LLM application development platform that enables developers to build AI-powered workflows, chatbots, and agents without deep ML expertise. The platform offers:
- A visual workflow builder for AI pipelines
- Built-in RAG (retrieval-augmented generation) with document upload
- Multi-model support (OpenAI, Anthropic, open-source models)
- A cloud-hosted SaaS tier alongside self-hosted deployments
With 1 million+ applications built on the platform, Dify occupies a significant position in the enterprise AI tooling ecosystem. The cloud service hosts thousands of concurrent tenants sharing underlying infrastructure.
The Vulnerabilities
Researchers identified multiple isolation failures in Dify's multi-tenant cloud environment:
1. Cross-Tenant Chat Log Access
The most severe flaw allowed an authenticated attacker with a valid Dify account to read private conversation histories from other tenants. By manipulating API request parameters — classic Insecure Direct Object Reference (IDOR) behavior — an attacker could retrieve messages from conversations they did not participate in or own.
Impact: Private AI conversations — which may contain confidential business information, customer data, or sensitive prompts — were readable across tenant boundaries.
2. Cross-Tenant Document Preview
Dify's document management feature, used to feed knowledge base content into RAG pipelines, was similarly vulnerable. Authenticated users could access and preview documents uploaded by other tenants by manipulating document identifiers in API calls.
Impact: Proprietary documents, training data, and business-sensitive files uploaded to inform AI assistants were exposed to unauthorized parties.
3. Internal API Reachability
Researchers also found that certain internal API endpoints — intended only for system-level processes — were reachable from tenant-facing API paths. While the full extent of exploitability is still being assessed, internal API access can enable privilege escalation, infrastructure mapping, and potential lateral movement within the platform.
Technical Root Cause
The underlying issue is a failure to enforce tenant-scoped authorization on API endpoints that handle sensitive resources. In a properly implemented multi-tenant system, every data access — reads, writes, previews — should be validated against the requesting user's tenant context. Dify's flaws suggest:
- Authorization checks missing or bypassable on document and conversation endpoints
- Predictable or sequential resource identifiers enabling enumeration
- Insufficient isolation between the tenant-facing API surface and internal service endpoints
Multi-tenant isolation bugs of this class are notoriously common in SaaS platforms that evolve quickly — feature velocity often outpaces security review of authorization logic.
Who is Affected?
Any organization using Dify's cloud-hosted SaaS service should assume their conversation data and uploaded documents may have been accessible to other tenants prior to patching. Self-hosted Dify deployments (single-tenant) are not affected by the cross-tenant isolation bugs, though internal API exposure may still apply depending on configuration.
Particularly sensitive use cases to consider:
- Legal and compliance teams using AI assistants with confidential documents
- Customer support chatbots processing customer PII
- Healthcare organizations using AI workflows with patient-adjacent data
- Financial services with proprietary models or trading logic in prompts
Response and Patch Status
Dify's security team was notified through responsible disclosure. Organizations should:
- Check Dify's official security advisories for patch status and affected versions
- Audit conversation and document contents uploaded to the cloud service for sensitive data
- Rotate API keys used by Dify integrations as a precaution
- Consider migrating sensitive workloads to self-hosted Dify until the cloud platform is confirmed patched
Broader Implications for AI Platform Security
This disclosure highlights a category of risk that is growing as AI platforms mature: multi-tenant data leakage in AI infrastructure. Unlike traditional SaaS apps, AI platforms face compounding risks:
| Risk Factor | Traditional SaaS | AI Platforms |
|---|---|---|
| Data sensitivity | Variable | High — conversations reveal intent, strategy, IP |
| Cross-tenant blast radius | Limited | High — RAG knowledge bases contain curated proprietary data |
| API surface complexity | Standard CRUD | Complex — model APIs, vector stores, workflow orchestration |
| Patch urgency | Normal | Critical — historical conversation data may be unrecoverable |
AI platform providers must treat tenant isolation as a first-class security property, subject to the same rigorous review as authentication and encryption.
Recommendations
| Action | Priority |
|---|---|
| Monitor Dify security advisories and apply patches promptly | Critical |
| Audit sensitive data uploaded to Dify cloud RAG knowledge bases | High |
| Rotate Dify API credentials and review access logs | High |
| Evaluate self-hosted deployment for sensitive workloads | Medium |
| Implement DLP controls on AI platform inputs and outputs | Medium |