Nixpkgs security tracker
Dismissed
(not in Nixpkgs)
Permalink
CVE-2026-41950
6.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse dismissed (not in Nixpkgs)
Dify < 1.14.0 Authorization Bypass via File UUID
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.
References
-
-
-
https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-uuid third-party-advisory
Affected products
dify
- <1.14.0
Matching in nixpkgs
pkgs.speedify
Use multiple internet connections in parallel
-
nixos-unstable 15.8.2-12611
- nixpkgs-unstable 15.8.2-12611
- nixos-unstable-small 15.8.2-12611
-
nixos-25.11 15.8.2-12611
- nixos-25.11-small 15.8.2-12611
- nixpkgs-25.11-darwin 15.8.2-12611
Package maintainers
-
@vdemeester Vincent Demeester <vincent@sbr.pm>
-
@zahrun Zahrun <zahrun@murena.io>