Dify Access Control Vulnerability Allowing Unauthorized App Management via API

An access control vulnerability has been identified in Dify, an open-source platform for developing LLM applications. This issue, present in versions through 0.6.8, allows normal users to enable or disable apps through the API, bypassing restrictions in the web UI that prevent such actions. The vulnerability arises from inadequate role-based access controls, enabling non-admin users to make unauthorized changes that could disrupt app functionality and availability. Affected API endpoints include '/console/api/apps/{app.id}/site-enable' and '/console/api/apps/{app.id}/api-enable'.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in app states, causing disruptions and instability within the applications. Such actions could result in service downtime, data loss, and other operational challenges.

Reproduction

To reproduce this vulnerability, a normal user account can be used to send API requests to the endpoints '/console/api/apps/{app.id}/site-enable' and '/console/api/apps/{app.id}/api-enable'. Despite the web UI disabling the corresponding buttons for normal users, these API requests can be made without authorization, allowing the user to enable or disable apps. This can be verified by checking the app's status in the web UI or through the API after the request is made.

Remediation

The vulnerability has been patched in Dify version 0.6.12. Users should update to this version. For those unable to update, it is recommended to review and enhance the API access control mechanisms to ensure that only users with admin privileges can enable or disable apps. Implementing and enforcing role-based access controls (RBAC) for the affected API endpoints can help align permissions with the intended restrictions.