Skip to content

DifyTap: Four Security Flaws Enable Unauthorized Access to AI Conversations of Other Tenants

In a nutshell: Four vulnerabilities in Dify (146,000+ GitHub stars) allow authentication-less exfiltration of foreign AI chat histories across tenant boundaries.

Researchers from Zafran Security have disclosed four security flaws in the open-source platform Dify that could allow attackers without authentication to access AI conversations from customers of other organizations.

Dify is a widely used open-source platform for agentic workflows with over 146,000 stars on GitHub. Security research from Zafran Security has identified four vulnerabilities that allow attackers to covertly read AI conversations from client applications of other organizations without needing to authenticate.

The flaws have been grouped under the term DifyTap. They enable exploitation across tenant boundaries — a critical security risk in multi-tenant environments, as sensitive conversation content (such as proprietary instructions, context data, or system prompts) can be intercepted undetected.

This is relevant for CISOs because Dify is used in many enterprises for the automation and orchestration of AI agents. Successful exploitation not only threatens the confidentiality of customer data, but also the integrity of AI systems and their training/context data. This particularly affects organizations that operate Dify as a multi-tenant SaaS instance or whose security model is based on the assumption that tenants are isolated from one another.


Source: thehackernews.com · Published 22 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: