CVE-2026-34082 PUBLISHED

Dify has IDOR in deleting someone else's chat conversation

Assigner: GitHub_M
Reserved: 25.03.2026 Published: 20.04.2026 Updated: 20.04.2026

Dify is an open-source LLM app development platform. Prior to 1.13.1, the method DELETE /console/api/installed-apps/<appId>/conversations/<conversationId> has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Product Status

Vendor langgenius
Product dify
Versions
  • Version < 1.13.1 is affected

References

Problem Types

  • CWE-863: Incorrect Authorization CWE
  • CWE-284: Improper Access Control CWE