CVE-2025-56157

Published Dec 18, 2025

Last updated 2 months ago

CVSS critical 9.8

Overview

Description
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
Source
cve@mitre.org
NVD status
Modified
Products
dify

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-798

Social media

Hype score
Not currently trending

  1. CVE-2025-56157 Default Credentials in Dify https://t.co/dSCToWLpw9

    @HackingTeam777

    22 Dec 2025

    1570 Impressions

    6 Retweets

    24 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-56157 Security Advisory - Default Credentials in Dify · GitHub - https://t.co/fjV4t65pJL

    @piedpiper1616

    19 Dec 2025

    1667 Impressions

    4 Retweets

    14 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-56157 Default Credentials Vulnerability in Dify Open-Source AI Development Platform https://t.co/g79cUtEPC6

    @VulmonFeeds

    18 Dec 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.CVE-2026-21866
  2. Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.CVE-2026-28288
  3. Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript payload will be executed. This vulnerability is fixed in 1.13.0.CVE-2026-26023
  4. Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue.CVE-2025-67732
  5. Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. NOTE: The maintainer states that the endpoint is unauthenticated by design and serves as a bootstrap mechanism required for the dashboard initialization. They also state that the description inaccurately classifies the returned data as sensitive system configuration, stating that the data is non-sensitive and required for client-side rendering. No PII, credentials, or secrets are exposed.CVE-2025-63387

References

Sources include official advisories and independent security research.