CVE-2026-28288 Scanner

Dify is an open-source platform designed for the development of LLM apps, used by developers around the world to create and manage various applications. Its main users include software developers and tech companies aiming to leverage user-defined logic in application workflows. The platform enables the creation and deployment of customized applications and APIs. As a versatile tool, Dify supports multiple languages and frameworks, making it a popular choice among developers seeking flexibility in app development. The platform is continually updated and maintained, with a focus on user efficiency and security. With integrative capabilities, Dify finds its application in diverse sectors, from tech startups to major enterprises.

The vulnerability detected involves User Enumeration, a security weakness that allows attackers to differentiate between valid and invalid user accounts. In Dify, this vulnerability arises due to discrepancies in the platform's API responses when interacting with existing and non-existing accounts. User Enumeration can provide attackers with information about registered email addresses, potentially initiating further malicious activities. This type of vulnerability is common in systems not properly managing authentication responses. It is critical to address such vulnerabilities to maintain user data confidentiality and prevent unauthorized data gathering. The exploitation of User Enumeration often acts as a precursor to phishing attacks or credential stuffing.

The vulnerability centers around the login API endpoint where different responses are returned for erroneous and correct user account details. Attackers exploiting this vulnerability can utilize identifiable response patterns to determine the existence of specific email addresses within the system. Technical aspects involve examining response codes, message text, or header content discrepancies when incorrect account details are submitted. By submitting requests to the login API with different email addresses, attackers can analyze the API's response to deduce account existence, owing to the absence of uniform error handling. Such a vulnerability becomes a significant concern when a platform's error messages disclose information that should remain confidential.

Exploitation of this User Enumeration vulnerability can lead to various adverse effects, primarily aiding attackers in crafting targeted phishing attacks or executing credential stuffing attacks. With knowledge of active user accounts, attackers can efficiently direct social engineering or breaching attempts. Furthermore, such exposure amplifies the risk of privacy invasion for users whose accounts have been enumerated. Organizations may face reputational damage and loss of user trust as users become vulnerable to increased cyber threat activity. Therefore, it's imperative to resolve user enumeration weaknesses to avert unauthorized user information disclosure and uphold platform security.

REFERENCES

• https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx
• https://github.com/langgenius/dify/issues/24323