CVE-2025-32796

Summary

CVE-2025-32796 is a vulnerability affecting the open-source LLM app development platform, Dify. Before version 0.6.12, normal users were able to enable or disable apps through the API despite the web UI button being disabled and their lack of permission to do so. This access control flaw allowed non-admin users to make unauthorized changes, potentially disrupting the functionality and availability of APPS. Version 0.6.12 includes a patch for this issue. A workaround involves updating API access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure only users with admin privileges can send enable or disable requests for apps.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.