{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34082", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.868Z", "datePublished": "2026-04-20T23:03:18.158Z", "dateUpdated": "2026-04-21T13:36:45.614Z"}, "containers": {"cna": {"title": "Dify has IDOR in deleting someone else's chat conversation", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p"}, {"name": "https://github.com/langgenius/dify/releases/tag/1.13.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/langgenius/dify/releases/tag/1.13.1"}], "affected": [{"vendor": "langgenius", "product": "dify", "versions": [{"version": "< 1.13.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T23:03:18.158Z"}, "descriptions": [{"lang": "en", "value": "Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue."}], "source": {"advisory": "GHSA-fxq3-hh7x-c63p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T13:36:43.030472Z", "id": "CVE-2026-34082", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:36:45.614Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Dify has IDOR in deleting someone else's chat conversation", "source": {"advisory": "GHSA-fxq3-hh7x-c63p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "langgenius", "product": "dify", "versions": [{"status": "affected", "version": "< 1.13.1"}]}], "references": [{"url": "https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p", "name": "https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langgenius/dify/releases/tag/1.13.1", "name": "https://github.com/langgenius/dify/releases/tag/1.13.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T23:03:18.158Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34082", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T13:36:43.030472Z"}}}], "references": [{"url": "https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-21T13:36:37.072Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-34082", "state": "PUBLISHED", "dateUpdated": "2026-04-20T23:03:18.158Z", "dateReserved": "2026-03-25T16:21:40.868Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T23:03:18.158Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dify:dify:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E1DAEF4-9EFA-47F5-A2D3-F14C4643E5D2", "versionEndExcluding": "1.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue."}], "id": "CVE-2026-34082", "lastModified": "2026-04-23T15:12:29.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T23:16:24.250", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/langgenius/dify/releases/tag/1.13.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/langgenius/dify/security/advisories/GHSA-fxq3-hh7x-c63p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.13.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dify", "source": "cna", "vendor": "langgenius"}, "product": "dify", "vendor": "langgenius"}], "analysis": {"en": {"generated_at": "2026-04-22T03:27:36.875716+00:00", "value": {"mitigation_remediation": ["Upgrade to Dify version 1.13.1 or later, which contains the authorization fix.", "Implement additional ownership checks on delete operations so that only the conversation owner or an administrator can delete a conversation.", "Monitor API logs for unauthorized delete attempts and alert security staff to suspicious activity."], "summary": {"action": "Patch", "impact": "Unauthorized Data Deletion"}, "threat_synthesis": {"affected_systems": "The issue affects the open\u2011source LLM application platform Dify from langgenius prior to version 1.13.1. Users who have authenticated access to the console API can send delete requests for conversations they do not own.", "description_and_impact": "The vulnerability is an Insecure Direct Object Reference that permits any authenticated user to delete another user's chat conversation. It stems from inadequate authorization checks on the DELETE /console/api/installed-apps/<appId>/conversations/<conversationId> endpoint, aligning with CWE-284 (Improper Authorization). The consequence is the loss of user data and potential privacy violations, but it does not enable code execution or network compromise.", "risk_and_exploitability": "With a CVSS score of 5.3 the vulnerability is considered moderate. The EPSS score of 0.00038 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is straightforward: any authenticated user can construct a DELETE request for a conversation ID belonging to another user. The impact is limited to data loss, but the simplicity of the request pathway means the risk remains significant for environments where user data persistence is critical."}}}}, "created": "2026-04-21T01:00:12.422239+00:00", "updated": "2026-04-22T03:30:06.689870+00:00", "vendors": ["langgenius", "langgenius$PRODUCT$dify"]}