CVE-2026-61461
LangGenius · Dify
Dify is vulnerable to an authenticated SQL injection flaw within the MyScale vector store search functionality, allowing attackers to manipulate database queries.
Executive summary
An authenticated SQL injection vulnerability in Dify could allow attackers to compromise backend database integrity and access sensitive information.
Vulnerability
The application contains a flaw in the MyScale vector store search implementation that improperly neutralizes user input, resulting in SQL injection. This vulnerability requires an authenticated attacker to provide malicious input during the full-text search process.
Business impact
With a CVSS score of 8.8, this vulnerability presents a critical risk to data confidentiality and integrity. An attacker can leverage this flaw to bypass application logic, access unauthorized records, or potentially extract sensitive data from the underlying database.
Remediation
Immediate Action: Upgrade Dify to version 1.16.0-rc1 or newer to remediate the SQL injection vulnerability.
Proactive Monitoring: Monitor database query logs for anomalous syntax or unexpected search patterns that indicate SQL injection attempts.
Compensating Controls: Utilize a Web Application Firewall (WAF) with updated SQL injection detection rules to inspect and filter malicious search queries.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Database integrity is paramount for application security. We strongly recommend patching to the version specified above to prevent unauthorized database access and potential data leakage.