CVE-2026-61461

LangGenius · Dify

Dify is vulnerable to an authenticated SQL injection flaw within the MyScale vector store search functionality, allowing attackers to manipulate database queries.

Executive summary

An authenticated SQL injection vulnerability in Dify could allow attackers to compromise backend database integrity and access sensitive information.

Vulnerability

The application contains a flaw in the MyScale vector store search implementation that improperly neutralizes user input, resulting in SQL injection. This vulnerability requires an authenticated attacker to provide malicious input during the full-text search process.

Business impact

With a CVSS score of 8.8, this vulnerability presents a critical risk to data confidentiality and integrity. An attacker can leverage this flaw to bypass application logic, access unauthorized records, or potentially extract sensitive data from the underlying database.

Remediation

Immediate Action: Upgrade Dify to version 1.16.0-rc1 or newer to remediate the SQL injection vulnerability.

Proactive Monitoring: Monitor database query logs for anomalous syntax or unexpected search patterns that indicate SQL injection attempts.

Compensating Controls: Utilize a Web Application Firewall (WAF) with updated SQL injection detection rules to inspect and filter malicious search queries.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Database integrity is paramount for application security. We strongly recommend patching to the version specified above to prevent unauthorized database access and potential data leakage.