CVE-2026-28288

MEDIUM NUCLEI

Dify <1.9.0 - Info Disclosure

Title source: llm

Description

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.

Nuclei Templates (1)

Dify User Enumeration via Observable Response Discrepancy

MEDIUMVERIFIEDby DhiyaneshDk

References (2)

[Issue Tracking] https://github.com/langgenius/dify/issues/24323

[Vendor Advisory] https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx

Scores

CVSS v3 5.3

EPSS 0.0059

EPSS Percentile 69.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-204

Status published

Products (1)

dify/dify < 1.9.0

Published Feb 27, 2026

Tracked Since Feb 28, 2026