Practical guides to protect yourself, your family, and your business from AI-driven scams, deepfakes, and emerging cyber threats.
Dify is the software behind more than a million AI applications, and enterprises like Volvo, Maersk, Panasonic, and Thermo Fisher build on it. On June 22, 2026, researchers showed that anyone who registered a free account on Dify's cloud service could quietly reroute another company's chatbot conversations to themselves, reading every question users asked and every answer the model sent back.
No password was stolen and no malware was planted. The attacker simply switched on a feature that was meant to belong to someone else. That detail is the whole story, and it says something uncomfortable about where a company's most sensitive data now sits.
The work comes from Zafran Security, whose researchers Ido Shani and Gal Zaban documented four separate flaws, two of them rated critical, under the name DifyTap. Dify is an open-source LLMOps platform, meaning the plumbing teams use to build and run chatbots, retrieval systems, and AI workflows. It offers a multi-tenant cloud at cloud.dify.ai, where many organizations share one backend, and three of the four flaws let one tenant reach across that shared wall into another's data. Zafran also found tens of thousands of Dify instances exposed directly to the internet.
The most serious flaw, tracked as CVE-2026-41947 (rated 9.1 out of 10), abuses a monitoring feature called tracing. Tracing is meant to let you pipe your own app's conversation logs to an outside analytics provider so you can watch performance, and those logs hold the actual prompts and model replies. Dify never checked that the person enabling tracing on an app was the person who owned it. An attacker only needed the app's internal ID, which Dify hands out in plain sight to anyone who opens the app as an ordinary user. With it, they could point a victim app's entire conversation stream at their own analytics account. Picture filing a change-of-address form on someone else's mailbox: every future message now arrives at your door, and the owner notices nothing.
The exposure is broad: private chat histories and uploaded files belonging to customers of a platform that runs a million applications, much of it reachable by anyone willing to fill in a signup form. There is no public sign the flaws were exploited before the fix, and three of the four were patched in version 1.14.2 in May 2026. The reason to carry this into your own planning is the blind spot it exposes. People paste their rawest material into chatbots: contract clauses, customer records, source code, half-formed strategy. If your team stood up an internal assistant on a shared AI platform this year, the transcript of every one of those conversations sits in that platform's database, and the only thing keeping it apart from the next tenant's data is a set of authorization checks scattered across dozens of internal endpoints. DifyTap is what one missing check looks like. The tracing attack is the quiet one, because it does not break in once and leave. It sets up a standing feed, so the wiretap keeps running until somebody thinks to look for it. Expect more of this. Zafran found a near-identical class of bug in another AI framework only weeks earlier, and the hard problem underneath, keeping tenants isolated inside fast-moving AI infrastructure, is the same one that took cloud computing fifteen years to get right.
DifyTap needed no clever exploit. It needed a free account and a setting that trusted the wrong person. As organizations rush to build on shared AI platforms, the conversations and documents they feed those platforms become the new crown jewels, and the walls between one customer and the next are younger and thinner than the ones around a traditional database. Bring one question to your next review: if a stranger signed up on the same AI platform your team builds on, what stops them from reading what your chatbot was told today?


