Vulnerability in Langgenius Dify

CVE-2026-28288

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the…

EPSS: 0.005 (64.1th percentile) — read the EPSS interpretation.

Affected products

Langgenius Dify — versions < 1.9.0

Weakness classification (CWE)

CWE-204 — Observable Response Discrepancy

References

https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx (x_refsource_CONFIRM)
https://github.com/langgenius/dify/issues/24323 (x_refsource_MISC)