CVE-2026-34082

Summary

Dify is an open-source LLM app development platform. Prior to 1.13.1, the method DELETE /console/api/installed-apps/<appId>/conversations/<conversationId> has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue.

Affected Software

VendorProductVersion RangeStatus
langgeniusdify< 1.13.1affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization
  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References