What is CVE-2026-41950?

CVE-2026-41950 is a medium-severity vulnerability in Langgenius Dify, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 6.5/10. Published 2026-05-05.

How severe is CVE-2026-41950?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Auth bypass in Langgenius Dify

CVE-2026-41950

Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files ar…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (9.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

Affected products

Langgenius Dify — versions 0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

disclosure@vulncheck.com (release-notes, Release Notes, patch)
disclosure@vulncheck.com (Exploit, technical-description, Third Party Advisory, exploit)
disclosure@vulncheck.com (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-41950?: CVE-2026-41950 is a medium-severity vulnerability in Langgenius Dify, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 6.5/10. Published 2026-05-05.
How severe is CVE-2026-41950?: Medium severity. CVSS v3 base score is 6.5 out of 10.