DifyTap Flaws Expose AI Chats Across Tenants in Dify Platform

Cybersecurity researchers at Zafran Security have disclosed four vulnerabilities, collectively dubbed DifyTap, in the open-source Dify platform. Dify, an agentic workflow tool with over 146,000 GitHub stars, is used to build AI-powered applications. The flaws could allow attackers to stealthily read AI conversations from other customers' applications without requiring authentication.

The vulnerabilities pose a significant risk due to the lack of authentication needed for exploitation. By chaining the flaws, an attacker could access sensitive conversational data across different tenants, effectively breaking the platform's multi-tenant isolation. The precise CVSS score and number of affected systems have not been disclosed, but the widespread adoption of Dify suggests a broad potential impact.

Technical details indicate the attack vector involves manipulating workflow requests to bypass tenant boundaries. The flaws enable a remote attacker to extract AI chat logs without leaving obvious traces, making detection challenging. Specific indicators of compromise have not been publicly released to allow users time to patch.

Zafran Security has reported the vulnerabilities to the Dify maintainers. As of the latest information, patches are being developed; users are advised to monitor for updates and apply them promptly. In the meantime, restricting network access to the Dify instance and reviewing access logs for anomalies is recommended.

Attribution points to Zafran Security as the discoverer; no evidence of active exploitation has been reported yet. The disclosure highlights ongoing challenges in securing open-source AI platforms that handle sensitive data across multiple tenants.