CVE-2024-11821

CVSS 3.0 Score 4.3 of 10 (medium)

Details

Published Mar 20, 2025

CWE ID 250

Summary

CVE-2024-11821 is a privilege escalation vulnerability affecting langgenius/dify version 0.9.1. This issue enables normal users to manipulate Orchestrate instructions for chatbots created by admin users. The root cause stems from the application's failure to adequately enforce access controls on the endpoint /console/api/apps/{chatbot-id}/model-config. Unauthorized users can exploit this vulnerability to alter chatbot configurations, potentially causing significant disruptions or unintended consequences.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Dify

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/08ckEc
https://www.cve.org/CVERecord?id=CVE-2024-11821
https://nvd.nist.gov/vuln/detail/CVE-2024-11821

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Measuring the US-China AI Gap

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting

Know What Matters

For Customers

For Partners

CVE-2024-11821

CVSS 3.0 Score 4.3 of 10 (medium)

Details

Summary

Affected Products

Advisories, Assessments, and Mitigations