Auth bypass in Langgenius Dify

CVE-2026-34082

Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete s…

Vulnerability class: Broken Access Control

EPSS: 0.000 (11.0th percentile) — read the EPSS interpretation.

Affected products

Langgenius Dify — versions < 1.13.1

Weakness classification (CWE)

References

https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p (x_refsource_CONFIRM)
https://github.com/langgenius/dify/releases/tag/1.13.1 (x_refsource_MISC)