Langgenius Dify Password Reset Vulnerability Allowing Unauthenticated Password Guessing

Vulnerability

A vulnerability in Langgenius Dify version 0.10.1 allows unauthenticated attackers to exploit the password reset feature by guessing six-digit verification codes. The absence of limits on code guess attempts could lead to the reset of passwords for owners, admins, or other users, potentially compromising the entire application.

Impact

Exploitation of this vulnerability could result in unauthorized password resets, allowing attackers to gain access to user accounts, including those of owners and admins.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Langgenius Dify Password Reset Vulnerability Allowing Unauthenticated Password Guessing

Vulnerability

Impact

Affected Products

langgenius/dify

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating