Dify Improper Access Control Vulnerability Allowing Unauthorized APP Detail Edits

An access control vulnerability has been identified in Dify, an open-source platform for developing LLM applications. Prior to version 0.6.12, normal users were improperly granted permissions to edit APP names, descriptions, and icons. This flaw allowed non-admin users to modify app details, even when they were restricted from viewing the apps, thereby posing a security risk to the application's integrity. The issue has been patched in version 0.6.12.

Impact

This vulnerability allows unauthorized users to modify APP details, such as names, descriptions, and icons, which can lead to data corruption, misrepresentation, and potential exploitation by malicious users.

Reproduction

The vulnerability can be reproduced by a normal user who is restricted from viewing certain apps but is still able to access the editing APIs for APP details. This can be done by sending requests to the APP editing endpoints without the necessary permissions, as the access control flaw allows these modifications to be made despite the user's restricted view access.

Remediation

Users are advised to update to Dify version 0.6.12 or later, and to review and implement role-based access controls (RBAC) to ensure that only users with admin privileges can modify APP details.