Self Checks
1. Is this request related to a challenge you're experiencing? Tell me about your story.
Hi Dify team,
First of all, thanks for the great open-source project.
We are currently deploying Dify in an enterprise internal environment. During a recent internal security assessment and penetration test, we identified several security-related concerns and would like to share them with the community for discussion and improvement.
1. Cross-user resource access/deletion
We observed that in some scenarios, resources created by User A may potentially be viewed or deleted by User B.
This may indicate that some APIs or resource operations are missing sufficient ownership, workspace, or tenant-level authorization checks.
Potential risks:
- Unauthorized data access
- Unauthorized deletion/modification
- Cross-user data exposure
Suggested improvements:
- Enforce strict resource ownership validation
- Add tenant/workspace-level permission checks
- Introduce more fine-grained RBAC controls
- Add security test coverage for authorization boundaries
2. File download API permission validation
We found that the file download API may allow file access without fully validating whether the requesting user has permission to access the target file.
Potential risks:
- Unauthorized file download
- Internal knowledge/document leakage
- Sensitive enterprise data exposure
Suggested improvements:
- Add ownership/tenant validation before file download
- Verify access permissions for all uploaded files
- Add centralized authorization middleware for file APIs
3. Session expiration policy
Current session management appears to lack configurable expiration controls, or the expiration period may be too long for enterprise security requirements.
Suggested improvements:
- Configurable session timeout
- Idle session expiration
- Absolute session lifetime
- Refresh token expiration control
- Admin-configurable security policies
This is important for enterprise compliance and zero-trust environments.
4. Concurrent login/session control
Currently, the same account can log in simultaneously from multiple browsers/devices without restriction.
Many enterprise environments require stronger session management capabilities, such as:
- Single active session per account
- Optional “new login invalidates previous session”
- Session/device management
- Concurrent session limits
- Admin session revocation
Additional Notes
We understand that some of these items may be considered feature enhancements rather than vulnerabilities, but they are important requirements for enterprise deployments and security compliance scenarios.
We hope these suggestions can help improve Dify’s enterprise security capabilities and multi-user isolation model.
Thanks again for the great work and for maintaining the project.
2. Additional context or comments
No response
3. Can you help us with this feature?
Self Checks
1. Is this request related to a challenge you're experiencing? Tell me about your story.
Hi Dify team,
First of all, thanks for the great open-source project.
We are currently deploying Dify in an enterprise internal environment. During a recent internal security assessment and penetration test, we identified several security-related concerns and would like to share them with the community for discussion and improvement.
1. Cross-user resource access/deletion
We observed that in some scenarios, resources created by User A may potentially be viewed or deleted by User B.
This may indicate that some APIs or resource operations are missing sufficient ownership, workspace, or tenant-level authorization checks.
Potential risks:
Suggested improvements:
2. File download API permission validation
We found that the file download API may allow file access without fully validating whether the requesting user has permission to access the target file.
Potential risks:
Suggested improvements:
3. Session expiration policy
Current session management appears to lack configurable expiration controls, or the expiration period may be too long for enterprise security requirements.
Suggested improvements:
This is important for enterprise compliance and zero-trust environments.
4. Concurrent login/session control
Currently, the same account can log in simultaneously from multiple browsers/devices without restriction.
Many enterprise environments require stronger session management capabilities, such as:
Additional Notes
We understand that some of these items may be considered feature enhancements rather than vulnerabilities, but they are important requirements for enterprise deployments and security compliance scenarios.
We hope these suggestions can help improve Dify’s enterprise security capabilities and multi-user isolation model.
Thanks again for the great work and for maintaining the project.
2. Additional context or comments
No response
3. Can you help us with this feature?