{"vulnerability": "cve-2026-41947", "sightings": [{"uuid": "31ab4f94-b943-4f20-b53a-d910931d9c8b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41947", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mm5dtbyy3q2o", "content": "CVE-2026-41947 - Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints\nCVE ID : CVE-2026-41947\n \n Published : May 18, 2026, 3:16 p.m. | 55\u00a0minutes ago\n \n Description : Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authen...", "creation_timestamp": "2026-05-18T16:56:44.810872Z"}, {"uuid": "a12c28ee-58bc-4cd6-9c6b-4d7c96db3eeb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-41947", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116599714465595162", "content": "\ud83d\udea8 CRITICAL: CVE-2026-41947 in langgenius Dify \u22641.14.1 lets editor users bypass tenant checks, redirecting app messages to attacker LLMs. Free self-registration increases risk. Restrict editor roles &amp; monitor configs. https://radar.offseq.com/threat/cve-2026-41947-authorization-bypass-through-user-c-da35e5dc #OffSeq #CVE202641947 #AppSec", "creation_timestamp": "2026-05-19T06:00:48.759805Z"}, {"uuid": "55597ebc-db70-4ebf-97d9-2d90e37ae9a9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41947", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3mnuxvice4k2o", "content": "LLM\u30a2\u30d7\u30ea\u958b\u767a\u57fa\u76e4\u300cDify\u300d\u306b\u8907\u6570\u306e\u30af\u30ea\u30c6\u30a3\u30ab\u30eb\u8106\u5f31\u6027\n\n\u5927\u898f\u6a21\u8a00\u8a9e\u30e2\u30c7\u30eb\uff08LLM\uff09\u30a2\u30d7\u30ea\u958b\u767a\u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u300cDify\u300d\u306b\u60c5\u5831\u6f0f\u6d29\u3084\u8a2d\u5b9a\u306e\u6539\u3056\u3093\u306a\u3069\u8907\u6570\u306e\u8106\u5f31\u6027\u304c\u660e\u3089\u304b\u3068\u306a\u3063\u305f\u3002\n\n...\n\n\u300cCVE-2026-41948\u300d\u306f\u3001Plugin\u30c7\u30fc\u30e2\u30f3\u306e\u300cREST API\u300d\u306b\u304a\u3044\u3066\u8ee2\u9001\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u64cd\u4f5c\u3067\u304d\u308b\u30d1\u30b9\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\u306e\u8106\u5f31\u6027\u3002\u30c6\u30ca\u30f3\u30c8\u306eUUID\u3092\u628a\u63e1\u3057\u3066\u3044\u308b\u5834\u5408\u306b\u3001\u30bf\u30b9\u30af\u8b58\u5225\u5b50\u3084\u30d5\u30a1\u30a4\u30eb\u540d\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u7d30\u5de5\u3057\u3066\u5185\u90e8\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3078\u30a2\u30af\u30bb\u30b9\u3055\u308c\u308b\u304a\u305d\u308c\u304c\u3042\u308b\u3002\n\n\u300cCVE-2026-41947\u300d\u306f\u3001\u7de8\u96c6\u8005\u6a29\u9650\u306b\u304a\u3051\u308b\u8a8d\u53ef\u30d0\u30a4\u30d1\u30b9\u306e\u8106\u5f31\u6027\u3002\u30c8\u30ec\u30fc\u30b9\u8a2d\u5b9a\u306e\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306b\u304a\u3051\u308b\u30c6\u30ca\u30f3\u30c8\u6240...", "creation_timestamp": "2026-06-09T19:53:31.495496Z"}, {"uuid": "e39c6255-f6bd-408e-8986-ad16d792ccaa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-41947", "type": "seen", "source": "https://bsky.app/profile/securitycyberuk.bsky.social/post/3motmqfv2my2n", "content": "\ud83d\udea8  ALERT: CVE-2026-41947\n\nCVSS 9.1/10\n\n\ud83d\udccb WHAT IT IS:\nDify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant owners", "creation_timestamp": "2026-06-22T00:25:09.045512Z"}]}