AbejaIT AbejaIT

Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants

07.07.2026

Researchers from Zafran Security disclosed four vulnerabilities in Dify — a popular open-source platform for building agentic AI workflows — collectively named DifyTap. The flaws enable unauthorized access to AI model conversations belonging to other tenants, posing a serious threat in multi-tenant environments. Organizations using Dify should prioritize verifying their configuration and monitoring for updates.

Platforms for building agentic AI applications — such as Dify, LangChain, and Flowise — are gaining popularity at a pace that often outstrips the maturity of security processes surrounding their deployments. The DifyTap vulnerabilities in the Dify platform disclosed by Zafran Security are symptomatic of a broader trend: the growing adoption of AI tools in enterprise environments brings a new type of security risk for which traditional protection models may be insufficient.

What Is Dify and Why Is It Popular in B2B?

Dify is an open-source platform enabling the creation of applications based on large language models (LLMs) — from simple chatbots to complex agentic systems with access to external tools, databases, and APIs. The platform offers a visual flow builder, prompt management, conversation monitoring, and multi-tenancy mechanisms, making it a popular choice for companies wanting to build internal AI tools or LLM-based products.

The multi-tenant model means multiple organizations or teams can use a single Dify instance while maintaining apparent isolation of their data, prompts, and conversation histories. This isolation is the key security requirement — and it is precisely what proved leaky in the DifyTap vulnerabilities.

DifyTap Vulnerability Details

Researchers from Zafran Security identified four interconnected flaws that together create an attack path enabling unauthorized access to other tenants' resources:

  • Insufficient access control — API endpoints did not properly verify whether the requesting user has rights to access another tenant's resources.
  • Insecure Direct Object Reference (IDOR) — ability to directly reference conversation or application identifiers belonging to other tenants by substituting parameters in the request.
  • Context isolation errors — tenant isolation mechanisms were ineffective in certain API flows.
  • Session management vulnerability — under specific conditions, one user's session could access resources assigned to another tenant.

The consequence of exploiting these vulnerabilities is the ability to read conversation histories, system prompts, application configurations, and LLM query results belonging to other organizations using the same Dify instance. For companies that deployed Dify as an internal tool for working with sensitive data (legal analysis, commercial documents, HR data), tenant isolation breach means potential leakage of confidential information.

Implications for Organizations Deploying AI Platforms

DifyTap vulnerabilities point to a systemic risk that appears with the rapid deployment of AI tools: multi-tenancy security requires deep verification at the level of every endpoint and data flow, not just global authentication mechanisms. Organizations deploying AI platforms should conduct penetration tests of multi-tenant environments before making them available to a wider user base.

It is also worth remembering that LLM conversation histories often contain particularly sensitive data — users frequently paste information into chatbots that they would not include in a regular helpdesk ticket. Access management for this data should be subject to the same rigor as access to CRM or ERP systems.

AbejaIT: Secure AI Platform Deployments for B2B Companies

Implementing agentic AI in a B2B organization is not just a technology project — it is an initiative requiring careful risk management. At AbejaIT, we offer comprehensive advisory and implementation services in AI solutions for companies, incorporating security, GDPR compliance, and data governance aspects from the architecture design stage.

If your organization is considering deploying an AI platform for building chatbots, workflow automation, or analytical tools, our team will help design an environment with data isolation, access control, and auditability built in. IT consulting in the AI area includes security maturity assessment of the chosen platform, environment configuration, and monitoring procedures. Do not deploy AI without awareness of the risks — deploy AI with a plan for managing those risks.

Practical Steps for Organizations Using AI Platforms

For organizations using Dify or other multi-tenant AI platforms, the DifyTap vulnerabilities should signal a security configuration review. The first step is verifying that the platform is up to date and that the vendor has released patches addressing the described vulnerabilities. Next, review user and tenant permissions, remove unused accounts and applications, and enable audit activity logging.

Long-term, when selecting AI platforms for deployment, organizations should include security as one of the key evaluation criteria — alongside functionality, performance, and costs. Platforms with active bug bounty programs, transparent vulnerability disclosure policies, and regularly updated security documentation are a safer choice than projects that do not prioritize security. In the open-source ecosystem, community security activity (number of CVEs, time from report to fix, quality of documentation) is a good indicator of project maturity. Investing in careful AI platform selection at the start of a project is many times cheaper than managing the consequences of a data compromise in a production environment. The organizations that treat AI platform security evaluation as rigorously as they treat traditional software vendor security assessments will be the ones that scale their AI initiatives without corresponding growth in security incidents.

Source: The Hacker News