Dify, a popular low-code AI application development platform with over 142,000 stars on GitHub, was found to contain critical vulnerabilities that allowed a one-click account takeover. Imperva researchers warn that AI tools are racing to add features without ensuring security.
Dify is a hugely popular open-source platform that lets companies build and run their own AI tools without hiring teams of engineers. Its Docker container has been pulled over 10 million times.
“Agentic workflows, RAG pipelines, integrations, and observability – all in one place,” the company’s website reads.
“Build production-ready agentic workflows.”
However, all the attacker needed to take over the Dify account was to send a single link to the victim and hope that they clicked it.
Imperva Threat Research discovered two critical vulnerabilities and responsibly disclosed them, but Dify never responded. The vulnerabilities were silently patched months later.
“Both vulnerabilities we found in Dify stem from the same oversight: security controls that weren’t designed to keep pace with the platform’s feature growth,” the report by Imperva reads.
The Cybernews community is talking about this. Be a part of the conversation.
Because many widely used self-hosted instances may remain unpatched for months, the researchers urge admins to verify they’re running patched versions of the tool.
Dify instances would be gold mines for attackers due to the data they hold, including AI model API keys, connected service credentials, proprietary workflows, and potentially private user data. The potential blast radius could compromise the entire “production-ready” workspace.
One click to a complete compromise
The first bug is trivial to exploit and severely dangerous. It affects Dify’s file upload handling.
Dify stores all files publicly without authentication, with predictable URL patterns, and without access controls.
More critically, the subdomain for uploads (upload.dify.ai) is configured as the DNS alias of the main application domain (cloud.dify.ai), where users authenticate and manage their workflows.
This essentially means that simply swapping a subdomain from “upload” to “cloud” in the uploaded file’s URL would open the file with all the privileges of whoever opens it.
Attackers can simply create a burner account, upload a malicious file, change the link pointing to it, share the link with the victim, and if the victim clicks, they’re done.
Check if your data has been leaked
To demonstrate this, Imperva researchers simply created and uploaded an image file in the SVG file format, which is XML-based, but can also contain JavaScript code.
Copy the file’s URL, swap the subdomain, and send it to the administrator. Clicking the image runs the code.
“When a browser renders an SVG file served from a trusted origin, any embedded script executes with full access to that origin’s session context, including cookies, local storage, and API calls,” Imperva explained.
“One click leads to account takeover.”
Imperva sent the initial disclosure on January 14th, 2026. More than two months later, on March 17th, the company quietly released a fix that overwrote the content-type of the HTTP response to “application/octet-stream,” which essentially forces every file to download instead of opening.
“Dify did not respond to any of our disclosure messages and chose to patch silently,” Imperva said.
Snooping private code
The second bug was an insufficient tenant isolation flaw in shared environments – Dify was exposing users’ application private source code to other users on the same platform.
While Dify’s sandbox was intended to isolate users’ code, the Python executions shared a filesystem location and ran under the same hardcoded system identity.
Basically, attackers could grab scripts belonging to other users from the shared /tmp folder.
Dify encrypted each of the files, but the implementation was so weak that the researchers reconstructed the source code directly from the stolen file.
“This looks like ‘encryption,’ but it is really a byte-wise Vigenere cipher with a 64-byte repeating key,” the report reads.
In later patches, Dify gave each execution its own unique identity, preventing users from accessing each other’s files, but the weak encryption was not addressed.
Broader problems with AI platforms
Imperva believes that these vulnerabilities are just a reflection of broader problems affecting the ecosystem of AI-powered tools.
“Both findings point to the same structural challenge: platforms that centralize trust must also centralize rigor in how they isolate users and handle untrusted input,” Imperva said.
“Even though AI automation platforms are increasingly becoming integration hubs for complex workflows, their security posture still lags behind their rapid evolution and operational importance.”
The researchers warn that as AI tools add more features for collaboration, file sharing, multi-tenant environments, etc., each new surface must be hardened.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked