CVE-2025-56157
CRITICALDify < 1.5.1 - Use of Hard-coded PostgreSQL Credentials in docker-compose.yaml
Title source: llmDescription
Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
References (8)
Core 8
Core References
Broken Link
http://dify.com
Exploit, Mitigation, Third Party Advisory
https://gist.github.com/Cristliu/216ddbadaf3258498c93d408683ecabd
Issue Tracking
https://github.com/langgenius/dify/issues/15285
Issue Tracking
https://github.com/langgenius/dify/pull/15286
Issue Tracking
https://github.com/langgenius/dify/pull/15286.diff
Release Notes
https://github.com/langgenius/dify/releases/tag/1.0.1
Scores
CVSS v3
9.8
EPSS
0.0081
EPSS Percentile
52.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-798
Status
published
Products (1)
langgenius/dify
< 1.5.1
Published
Dec 18, 2025
Tracked Since
Feb 18, 2026