@blamejs/exceptd-skills 0.13.113 → 0.13.115

package/data/atlas-ttps.json

@@ -1748,6 +1748,7 @@
       "CVE-2023-6021",
       "CVE-2023-6038",
       "CVE-2023-6571",
+      "CVE-2024-12776",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -1762,6 +1763,7 @@
       "CVE-2024-4889",
       "CVE-2024-6587",
       "CVE-2024-9526",
+      "CVE-2025-1796",
       "CVE-2025-25297",
       "CVE-2025-27520",
       "CVE-2025-30202",
@@ -1780,6 +1782,8 @@
       "CVE-2026-31230",
       "CVE-2026-33017",
       "CVE-2026-34159",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-45829"
     ]
   },

package/data/attack-techniques.json

@@ -530,8 +530,10 @@
       "CVE-2023-27351",
       "CVE-2023-43791",
       "CVE-2023-50224",
+      "CVE-2024-12776",
       "CVE-2024-1709",
       "CVE-2024-54085",
+      "CVE-2025-1796",
       "CVE-2025-21085",
       "CVE-2025-2746",
       "CVE-2025-2747",
@@ -549,6 +551,8 @@
       "CVE-2026-33825",
       "CVE-2026-39884",
       "CVE-2026-41940",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-42897",
       "CVE-2026-6973",
       "MAL-2026-NODE-IPC-STEALER",
@@ -776,7 +780,8 @@
     "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials ...",
     "tactic": [
       "Credential Access"
-    ]
+    ],
+    "cve_refs": []
   },
   "T1110.001": {
     "name": "Brute Force: Password Guessing",
@@ -895,6 +900,7 @@
       "CVE-2023-6019",
       "CVE-2023-6021",
       "CVE-2023-6038",
+      "CVE-2024-12776",
       "CVE-2024-12987",
       "CVE-2024-13059",
       "CVE-2024-1561",
@@ -927,6 +933,7 @@
       "CVE-2025-14733",
       "CVE-2025-14847",
       "CVE-2025-15556",
+      "CVE-2025-1796",
       "CVE-2025-20281",
       "CVE-2025-20333",
       "CVE-2025-20337",
@@ -1081,6 +1088,8 @@
       "CVE-2026-3910",
       "CVE-2026-39987",
       "CVE-2026-40933",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-42208",
       "CVE-2026-42897",
       "CVE-2026-42945",
@@ -1269,7 +1278,8 @@
     "version": "v19",
     "cve_refs": [
       "CVE-2023-43791",
-      "CVE-2025-14174"
+      "CVE-2025-14174",
+      "CVE-2025-1796"
     ],
     "description_full": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain authenticated access to systems. One example of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight Blizzard Replay Attack) Such exploitation has been demonstrated in cloud environments as well. For example, adversaries have exploited vulnerabilities in public cloud infrastructure that allowed for unintended authentication token creation and renewal.(Citation: Storm-0558 techniques for unauthorized email access) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.",
     "platforms": [
@@ -1306,6 +1316,9 @@
     "description": "Adversaries may leverage information repositories to mine valuable information.",
     "tactic": [
       "Collection"
+    ],
+    "cve_refs": [
+      "CVE-2026-41950"
     ]
   },
   "T1485": {
@@ -1450,6 +1463,9 @@
     "description": "Adversaries may access data from cloud storage.",
     "tactic": [
       "Collection"
+    ],
+    "cve_refs": [
+      "CVE-2026-41947"
     ]
   },
   "T1543": {
@@ -1726,7 +1742,10 @@
     "stix_id": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84",
     "is_subtechnique": false,
     "last_verified": "2026-05-19",
-    "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts."
+    "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.",
+    "cve_refs": [
+      "CVE-2024-12776"
+    ]
   },
   "T1557": {
     "name": "Adversary-in-the-Middle",

package/data/cve-catalog.json

@@ -17908,6 +17908,422 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Dify's RemoteFileUploadApi fetches user-supplied URLs without destination validation, letting an unauthenticated attacker reach internal/cloud-metadata services (CWE-918 SSRF); no fixed version published - validate/allowlist the fetch destination."
   },
+  "CVE-2025-1796": {
+    "name": "Dify Weak-PRNG Password Reset Account Takeover",
+    "type": "Account Takeover",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH); huntr.dev (CNA) rates it 7.5 (HIGH, AC:H). Dify generates password-reset codes with a weak pseudo-random number generator (random.randint instead of a cryptographically secure source), so an attacker predicts the reset code and takes over any account, including administrators (CWE-338 weak PRNG + CWE-640 weak password-recovery mechanism).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing huntr.dev advisory (https://github.com/advisories/GHSA-cvg9-334x-w586): predict the weak-PRNG reset code and complete a password reset for any account.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev (https://github.com/advisories/GHSA-cvg9-334x-w586). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is a weak password-recovery mechanism in an LLM app platform.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published, so exposed instances remain vulnerable.",
+    "affected": "Dify 0.10.1.",
+    "affected_versions": [
+      "Dify 0.10.1"
+    ],
+    "vector": "Dify's password-reset flow generates the reset code with a weak pseudo-random number generator (random.randint) rather than a cryptographically secure RNG. An attacker predicts the reset code for any account - including administrator accounts - and completes a password reset to take it over (CWE-338 / CWE-640). Disclosed via huntr.dev.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:L - a low-privilege account suffices to trigger and predict the reset code; the takeover reaches admin.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version is published as of curation; mitigation is replacing the reset-token generation with a CSPRNG and verifying the reset token server-side (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed Dify release is published. Generate password-reset tokens with a cryptographically secure RNG (e.g. secrets / os.urandom), make them long and single-use with short expiry, and rate-limit reset attempts so a code cannot be predicted or brute-forced."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification/authentication is undermined: the LLM app's password-recovery flow lets an attacker authenticate as any user, including admin.",
+      "NIST-800-53-AC-3": "Access enforcement is bypassed: a predictable reset code grants control of any account.",
+      "ISO-27001-2022-A.5.15": "Access control does not constrain the password-recovery path in the LLM app platform.",
+      "NIS2-Art21-identity-management": "Article 21 identity/access measures do not cover weak password-recovery in AI apps.",
+      "DORA-Art-9": "ICT protection measures do not model AI-app account takeover via password recovery as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for secure password-recovery in AI app platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app platform's password-recovery flow as an authentication-integrity control whose failure yields full (admin) account takeover."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1212",
+      "T1078"
+    ],
+    "rwep_score": 44,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 44, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=24 (full account/admin takeover). The weakness is in the password-recovery mechanism - predictable reset code.",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2025-1796",
+    "cwe_refs": [
+      "CWE-338",
+      "CWE-640"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Repeated Dify password-reset requests followed by reset attempts cycling through predictable code values.",
+        "Dify account passwords (including admin) changed without the legitimate owner initiating a reset.",
+        "Dify 0.10.1 with the password-reset flow reachable - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev advisory (https://github.com/advisories/GHSA-cvg9-334x-w586) and NVD CVE-2025-1796 (CWE-338/CWE-640)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-1796",
+      "https://github.com/advisories/GHSA-cvg9-334x-w586"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2025-1796",
+        "url": "https://github.com/advisories/GHSA-cvg9-334x-w586",
+        "severity": "high",
+        "published_date": "2025-03-20"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2025-1796",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1796",
+        "severity": "high",
+        "published_date": "2025-03-20"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the huntr.dev advisory (https://github.com/advisories/GHSA-cvg9-334x-w586, CWE-338/CWE-640) + NVD (CVSS v3.1 8.8) / huntr (CNA 7.5). Dify LLM-app-platform password-recovery flaw; introduces the AI-app password-recovery-integrity control NEW-CTRL-108.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify generates password-reset codes with a weak PRNG (random.randint), so an attacker predicts the code and takes over any account incl. admin (CWE-338/CWE-640); no fixed version published - use a CSPRNG for reset tokens."
+  },
+  "CVE-2024-12776": {
+    "name": "Dify Unverified Password-Reset Endpoint Account Takeover",
+    "type": "Account Takeover",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "huntr.dev (CNA) CVSS v3.0 base 8.1 (HIGH); NVD has not published its own assessed score. Dify's /forgot-password/resets endpoint does not verify the password-reset code before allowing the reset, so an attacker resets the password of any user - including administrators - and takes over the account (CWE-287 improper authentication; NVD classifies it CWE-305 authentication bypass by primary weakness; both map to the catalogued CWE-640 weak password-recovery mechanism).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing huntr.dev advisory (https://github.com/advisories/GHSA-g394-qpx6-x7rr): call /forgot-password/resets without a valid reset code to reset any user's password.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev (https://github.com/advisories/GHSA-g394-qpx6-x7rr). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is a weak password-recovery mechanism in an LLM app platform.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published, so exposed instances remain vulnerable.",
+    "affected": "Dify 0.10.1.",
+    "affected_versions": [
+      "Dify 0.10.1"
+    ],
+    "vector": "Dify's /forgot-password/resets endpoint does not verify the password-reset code before performing the reset, so an attacker resets the password of any user - including administrators - without possessing a valid reset code, taking over the account (CWE-287 / CWE-640). Disclosed via huntr.dev.",
+    "complexity": "high",
+    "complexity_notes": "huntr CNA AV:N / AC:H / PR:N - unauthenticated, but the reset flow requires some setup (AC:H); the takeover reaches admin.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version is published as of curation; mitigation is replacing the reset-token generation with a CSPRNG and verifying the reset token server-side (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed Dify release is published. Verify the password-reset code server-side before accepting a new password at /forgot-password/resets, bind the code to the requesting user and a short expiry, and invalidate it after use."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Identification/authentication is undermined: the LLM app's password-recovery flow lets an attacker authenticate as any user, including admin.",
+      "NIST-800-53-AC-3": "Access enforcement is bypassed: an unverified reset endpoint grants control of any account.",
+      "ISO-27001-2022-A.5.15": "Access control does not constrain the password-recovery path in the LLM app platform.",
+      "NIS2-Art21-identity-management": "Article 21 identity/access measures do not cover weak password-recovery in AI apps.",
+      "DORA-Art-9": "ICT protection measures do not model AI-app account takeover via password recovery as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for secure password-recovery in AI app platforms.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app platform's password-recovery flow as an authentication-integrity control whose failure yields full (admin) account takeover."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1556"
+    ],
+    "rwep_score": 44,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 24,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 44, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed version published so no patch credit (Hard Rule #3). poc_available=20 + blast_radius=24 (full account/admin takeover). The weakness is in the password-recovery mechanism - unverified reset endpoint.",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-12776",
+    "cwe_refs": [
+      "CWE-287",
+      "CWE-640"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify /forgot-password/resets calls that succeed without a preceding valid reset-code issuance/verification.",
+        "Dify account passwords (including admin) changed without the legitimate owner initiating a reset.",
+        "Dify 0.10.1 with the password-reset flow reachable - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev advisory (https://github.com/advisories/GHSA-g394-qpx6-x7rr) and NVD CVE-2024-12776 (CWE-287/CWE-640; NVD CWE-305)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-12776",
+      "https://github.com/advisories/GHSA-g394-qpx6-x7rr"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-12776",
+        "url": "https://github.com/advisories/GHSA-g394-qpx6-x7rr",
+        "severity": "high",
+        "published_date": "2024-12-17"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-12776",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12776",
+        "severity": "high",
+        "published_date": "2024-12-17"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the huntr.dev advisory (https://github.com/advisories/GHSA-g394-qpx6-x7rr, CWE-287/CWE-640; NVD assigns CWE-305, mapped to catalogued CWE-640) + huntr (CNA, CVSS v3.0 8.1; NVD unscored). Dify LLM-app-platform password-recovery flaw; introduces the AI-app password-recovery-integrity control NEW-CTRL-108.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify's /forgot-password/resets endpoint does not verify the reset code, letting an attacker reset any user's password incl. admin (CWE-287/CWE-640; NVD CWE-305); no fixed version published - verify the reset token server-side."
+  },
+  "CVE-2026-41947": {
+    "name": "Dify Trace-Config Cross-Tenant Authorization Bypass",
+    "type": "Authorization Bypass",
+    "cvss_score": 9.1,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
+    "cvss_note": "VulnCheck (CNA) / NVD CVSS v4.0 base 9.1 (CRITICAL); vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N (AC:H - the attacker must target a specific application). Dify's trace-configuration endpoints lack tenant-ownership checks, so an authenticated editor user configures trace settings for ANY application regardless of tenant ownership (CWE-639 authorization bypass through user-controlled key), and can redirect victim trace data to an attacker-controlled provider.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-48v9-p8g8-55vg): an editor user configures trace settings for an application they do not own.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / VulnCheck (https://github.com/advisories/GHSA-48v9-p8g8-55vg). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing object-level authorization in an LLM app platform's API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Dify through 1.14.1.",
+    "affected_versions": [
+      "Dify <= 1.14.1"
+    ],
+    "vector": "Dify's trace-configuration endpoints do not verify tenant ownership, so an authenticated editor-level user supplies another application's identifier and configures its trace settings without owning the tenant (CWE-639). The attacker can redirect that application's trace/telemetry data to an attacker-controlled provider, exfiltrating victim data.",
+    "complexity": "high",
+    "complexity_notes": "VulnCheck v4.0 AV:N / AC:H / PR:N - an authenticated editor-level account; AC:H reflects targeting a specific application's trace configuration; no tenant ownership required.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.14.2 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Dify to 1.14.2 or later. Enforce object-level authorization on every API that references an object by caller-supplied id: verify tenant ownership before allowing trace-configuration changes."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not verify ownership of the application/tenant whose trace config is changed (CWE-639).",
+      "NIST-800-53-AC-6": "Least-privilege is not enforced - an ordinary authenticated user can redirect another tenant's trace data to an external provider.",
+      "NIST-800-53-SC-28": "Protection of information does not prevent cross-tenant access to data via a user-controlled key.",
+      "ISO-27001-2022-A.5.15": "Access control does not enforce object-level authorization on the LLM app platform's API.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not prevent object-level authorization bypass in AI apps.",
+      "DORA-Art-9": "ICT protection measures do not model cross-tenant config tampering in an AI app as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for object-level authorization on AI app-platform APIs.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app platform's object-level authorization (ownership checks on user-controlled keys) as an integrity control."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1530"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=22, minus patch_available 15. Object-level authorization bypass (CWE-639) - cross-tenant trace-config tampering.",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-41947",
+    "cwe_refs": [
+      "CWE-639"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify trace-configuration requests referencing application/tenant identifiers the caller does not own.",
+        "Dify application trace/telemetry endpoints reconfigured to point at an unexpected external provider.",
+        "Dify <= 1.14.1 with editor-level accounts able to reach trace-config endpoints - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / VulnCheck (https://github.com/advisories/GHSA-48v9-p8g8-55vg) and NVD CVE-2026-41947 (CWE-639)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-41947",
+      "https://github.com/advisories/GHSA-48v9-p8g8-55vg"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-41947",
+        "url": "https://github.com/advisories/GHSA-48v9-p8g8-55vg",
+        "severity": "critical",
+        "published_date": "2026-05-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-41947",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41947",
+        "severity": "critical",
+        "published_date": "2026-05-18"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-48v9-p8g8-55vg, CWE-639) + VulnCheck (CNA) / NVD (CVSS v4.0 9.1, AC:H). Dify LLM-app-platform object-level authorization bypass; reuses the AI-app API object-authorization control NEW-CTRL-106 (shared with the Label Studio privilege-escalation chain).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify's trace-config endpoints miss tenant-ownership checks, letting an editor user configure trace settings for any app and redirect victim data (CWE-639 authz bypass); fixed in 1.14.2."
+  },
+  "CVE-2026-41950": {
+    "name": "Dify Chat-Messages Arbitrary File-UUID Cross-User File Read",
+    "type": "Authorization Bypass",
+    "cvss_score": 6.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "VulnCheck (CNA) CVSS v3.1 base 6.5 (MEDIUM, confidentiality-only); VulnCheck also rates it CVSS v4.0 6.0. Dify does not verify ownership of file references in a chat-messages request, so an authenticated user supplies an arbitrary file UUID in the files array and reads the full contents of files uploaded by other users in the same tenant (CWE-639 authorization bypass through user-controlled key / IDOR).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-r2m5-9rwx-269r): an authenticated user reads another user's file by supplying its UUID in a chat-messages request.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / VulnCheck (https://github.com/advisories/GHSA-r2m5-9rwx-269r). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing object-level authorization in an LLM app platform's API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Dify before 1.14.0.",
+    "affected_versions": [
+      "Dify < 1.14.0"
+    ],
+    "vector": "Dify accepts a file UUID in the files array of a chat-messages request without verifying that the requesting user owns that file, so an authenticated user supplies an arbitrary UUID and reads the full contents of files uploaded by other users within the same tenant - an insecure-direct-object-reference authorization bypass (CWE-639).",
+    "complexity": "low",
+    "complexity_notes": "VulnCheck AV:N / AC:L / PR:L - an authenticated user in the tenant supplies an arbitrary file UUID.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.14.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Dify to 1.14.0 or later. Enforce object-level authorization on every API that references an object by caller-supplied id: verify the requesting user owns each file UUID before returning its contents."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not verify ownership of the file referenced by a caller-supplied UUID (CWE-639).",
+      "NIST-800-53-AC-6": "Least-privilege is not enforced - an ordinary authenticated user can read another user's file contents.",
+      "NIST-800-53-SC-28": "Protection of information does not prevent cross-user access to data via a user-controlled key.",
+      "ISO-27001-2022-A.5.15": "Access control does not enforce object-level authorization on the LLM app platform's API.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not prevent object-level authorization bypass in AI apps.",
+      "DORA-Art-9": "ICT protection measures do not model cross-user data disclosure in an AI app as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for object-level authorization on AI app-platform APIs.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app platform's object-level authorization (ownership checks on user-controlled keys) as an integrity control."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1213"
+    ],
+    "rwep_score": 21,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 16,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 21, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=16, minus patch_available 15. Object-level authorization bypass (CWE-639) - cross-user file read.",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-41950",
+    "cwe_refs": [
+      "CWE-639"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify chat-messages requests whose files array references file UUIDs not uploaded by the requesting user.",
+        "Dify returning file contents belonging to other users in the same tenant.",
+        "Dify < 1.14.0 with multiple users sharing a tenant - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / VulnCheck (https://github.com/advisories/GHSA-r2m5-9rwx-269r) and NVD CVE-2026-41950 (CWE-639)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-41950",
+      "https://github.com/advisories/GHSA-r2m5-9rwx-269r"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-41950",
+        "url": "https://github.com/advisories/GHSA-r2m5-9rwx-269r",
+        "severity": "medium",
+        "published_date": "2026-05-05"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-41950",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41950",
+        "severity": "medium",
+        "published_date": "2026-05-05"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-r2m5-9rwx-269r, CWE-639) + VulnCheck (CNA, CVSS v3.1 6.5; v4.0 6.0). Dify LLM-app-platform object-level authorization bypass; reuses the AI-app API object-authorization control NEW-CTRL-106 (shared with the Label Studio privilege-escalation chain).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify reads files by user-supplied UUID in chat-messages without ownership checks, letting an authenticated user read other users' uploaded files in the tenant (CWE-639 IDOR); fixed in 1.14.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -717,6 +717,7 @@
       "CVE-2020-10148",
       "CVE-2021-32030",
       "CVE-2023-27351",
+      "CVE-2024-12776",
       "CVE-2024-1709",
       "CVE-2025-32975",
       "CVE-2025-3935",
@@ -1025,7 +1026,9 @@
       "CAPEC-485"
     ],
     "skills_referencing": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2025-1796"
+    ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SC-13"
     ],
@@ -3494,7 +3497,10 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2026-41947",
+      "CVE-2026-41950"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,
@@ -3513,7 +3519,10 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2024-12776",
+      "CVE-2025-1796"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,