{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28288", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.735Z", "datePublished": "2026-02-27T20:25:24.599Z", "dateUpdated": "2026-02-27T20:45:44.126Z"}, "containers": {"cna": {"title": "Dify has a user enumeration issue", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx"}, {"name": "https://github.com/langgenius/dify/issues/24323", "tags": ["x_refsource_MISC"], "url": "https://github.com/langgenius/dify/issues/24323"}], "affected": [{"vendor": "langgenius", "product": "dify", "versions": [{"version": "< 1.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:25:24.599Z"}, "descriptions": [{"lang": "en", "value": "Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue."}], "source": {"advisory": "GHSA-9qpf-wcv3-w3qx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T20:44:24.552212Z", "id": "CVE-2026-28288", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:45:44.126Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28288", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T20:44:24.552212Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:44:40.914Z"}}], "cna": {"title": "Dify has a user enumeration issue", "source": {"advisory": "GHSA-9qpf-wcv3-w3qx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "langgenius", "product": "dify", "versions": [{"status": "affected", "version": "< 1.9.0"}]}], "references": [{"url": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx", "name": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langgenius/dify/issues/24323", "name": "https://github.com/langgenius/dify/issues/24323", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204: Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:25:24.599Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28288", "state": "PUBLISHED", "dateUpdated": "2026-02-27T20:45:44.126Z", "dateReserved": "2026-02-26T01:52:58.735Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T20:25:24.599Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dify:dify:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A550B53-5989-4424-A1CE-46690BDDEC88", "versionEndExcluding": "1.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue."}, {"lang": "es", "value": "Dify es una plataforma de desarrollo de aplicaciones LLM de c\u00f3digo abierto. Antes de la versi\u00f3n 1.9.0, las respuestas de la API de Dify a cuentas existentes y no existentes difieren, permitiendo a un atacante enumerar direcciones de correo electr\u00f3nico registradas en Dify. La versi\u00f3n 1.9.0 soluciona el problema."}], "id": "CVE-2026-28288", "lastModified": "2026-03-09T20:23:10.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-27T21:16:18.853", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/langgenius/dify/issues/24323"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dify", "source": "cna", "vendor": "langgenius"}, "product": "dify", "vendor": "langgenius"}], "analysis": {"en": {"generated_at": "2026-04-17T13:54:58.383804+00:00", "value": {"mitigation_remediation": ["Upgrade Dify to version 1.9.0 or later to eliminate the API response discrepancy.", "Implement input validation to ensure all email existence checks return a uniform generic response, thereby removing the enumeration vector.", "Restrict the account\u2011lookup API to callers with authenticated permissions and apply rate limiting to mitigate automated enumeration attempts."], "summary": {"action": "Apply Patch", "impact": "User Enumeration via API Response Discrepancy"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of Dify, a platform for building LLM\u2011based applications, developed by langgenius, running any version prior to 1.9.0. The vulnerability is not present in the 1.9.0 release or later.", "description_and_impact": "An attacker can determine whether an email address is registered with the Dify platform by sending API requests that elicit different responses for existing versus non\u2011existent accounts. This leads to a privacy violation where an adversary can gather email addresses of users without authorization. The weakness is classified as CWE\u2011204, indicating lack of adequate access controls that expose sensitive data through response variation.", "risk_and_exploitability": "The CVSS base score of 5.5 indicates moderate severity, with low exploitation probability as reflected by an EPSS score of less than 1 percent. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog, implying no confirmed exploitation at the time of analysis. Exploitation requires only the ability to send API requests to the service; no privileged access or additional conditions are necessary."}}}}, "created": "2026-03-02T12:04:55.678941+00:00", "updated": "2026-04-17T14:00:15.810545+00:00", "vendors": ["langgenius", "langgenius$PRODUCT$dify"]}