- Description
- Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- dify
CVSS 4.0
- Type
- Secondary
- Base score
- 8.4
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
- Hype score
- Not currently trending
تحديثات Google Gemini وقيود الاستخدام جوجل بتغيير قيود استخدام Gemini للمشتركين، مما يعني زيادة في الحد المسموح به. الخبر فيه إشارة لثغرات CVE-2026-23550 و CVE-2025-67732. 💡 ا
@MisbarSec
18 Jan 2026
82 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【APIキー漏洩】セルフホストな Dify 使いは今すぐ確認。 CVE-2025-67732 はv1.11.0未満が対象。 対策でアップデートしても、念のためAPIキー使用ログを点検→怪しい呼び出し/外部IPがないか。 あなたはログ見た? ht
@4989er
9 Jan 2026
126 Impressions
1 Retweet
1 Like
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-67732: Why Your Dify Logs Just Became a Goldmine for API Key Thieves Read the full report on - https://t.co/5lQcFOPD5A https://t.co/9CNmkpv547
@cyberbivash
7 Jan 2026
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
LLMアプリ作成ツールDifyが深刻な脆弱性を修正。CVE-2025-67732はCVSSスコア8.4で、平文でのAPIキーの露出。UIの構成を応答する/console/api/workspaces/current/model-providersエンドポイントがOpenAI等のAPIキーも応答してしまう
@__kokumoto
7 Jan 2026
1118 Impressions
4 Retweets
13 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2025-67732 Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to… https://t.co/0yuTY7Fgnm
@CVEnew
6 Jan 2026
166 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dify:dify:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B92A73BA-E393-4944-8F8C-E10270DEE6A6",
"versionEndExcluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]