@blamejs/exceptd-skills 0.13.114 → 0.13.116

package/data/cve-catalog.json

@@ -18116,6 +18116,214 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Dify's /forgot-password/resets endpoint does not verify the reset code, letting an attacker reset any user's password incl. admin (CWE-287/CWE-640; NVD CWE-305); no fixed version published - verify the reset token server-side."
   },
+  "CVE-2026-41947": {
+    "name": "Dify Trace-Config Cross-Tenant Authorization Bypass",
+    "type": "Authorization Bypass",
+    "cvss_score": 9.1,
+    "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
+    "cvss_note": "VulnCheck (CNA) / NVD CVSS v4.0 base 9.1 (CRITICAL); vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N (AC:H - the attacker must target a specific application). Dify's trace-configuration endpoints lack tenant-ownership checks, so an authenticated editor user configures trace settings for ANY application regardless of tenant ownership (CWE-639 authorization bypass through user-controlled key), and can redirect victim trace data to an attacker-controlled provider.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-48v9-p8g8-55vg): an editor user configures trace settings for an application they do not own.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / VulnCheck (https://github.com/advisories/GHSA-48v9-p8g8-55vg). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing object-level authorization in an LLM app platform's API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Dify through 1.14.1.",
+    "affected_versions": [
+      "Dify <= 1.14.1"
+    ],
+    "vector": "Dify's trace-configuration endpoints do not verify tenant ownership, so an authenticated editor-level user supplies another application's identifier and configures its trace settings without owning the tenant (CWE-639). The attacker can redirect that application's trace/telemetry data to an attacker-controlled provider, exfiltrating victim data.",
+    "complexity": "high",
+    "complexity_notes": "VulnCheck v4.0 AV:N / AC:H / PR:N - an authenticated editor-level account; AC:H reflects targeting a specific application's trace configuration; no tenant ownership required.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.14.2 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Dify to 1.14.2 or later. Enforce object-level authorization on every API that references an object by caller-supplied id: verify tenant ownership before allowing trace-configuration changes."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not verify ownership of the application/tenant whose trace config is changed (CWE-639).",
+      "NIST-800-53-AC-6": "Least-privilege is not enforced - an ordinary authenticated user can redirect another tenant's trace data to an external provider.",
+      "NIST-800-53-SC-28": "Protection of information does not prevent cross-tenant access to data via a user-controlled key.",
+      "ISO-27001-2022-A.5.15": "Access control does not enforce object-level authorization on the LLM app platform's API.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not prevent object-level authorization bypass in AI apps.",
+      "DORA-Art-9": "ICT protection measures do not model cross-tenant config tampering in an AI app as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for object-level authorization on AI app-platform APIs.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app platform's object-level authorization (ownership checks on user-controlled keys) as an integrity control."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1530"
+    ],
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 27, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=22, minus patch_available 15. Object-level authorization bypass (CWE-639) - cross-tenant trace-config tampering.",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-41947",
+    "cwe_refs": [
+      "CWE-639"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify trace-configuration requests referencing application/tenant identifiers the caller does not own.",
+        "Dify application trace/telemetry endpoints reconfigured to point at an unexpected external provider.",
+        "Dify <= 1.14.1 with editor-level accounts able to reach trace-config endpoints - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / VulnCheck (https://github.com/advisories/GHSA-48v9-p8g8-55vg) and NVD CVE-2026-41947 (CWE-639)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-41947",
+      "https://github.com/advisories/GHSA-48v9-p8g8-55vg"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-41947",
+        "url": "https://github.com/advisories/GHSA-48v9-p8g8-55vg",
+        "severity": "critical",
+        "published_date": "2026-05-18"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-41947",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41947",
+        "severity": "critical",
+        "published_date": "2026-05-18"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-48v9-p8g8-55vg, CWE-639) + VulnCheck (CNA) / NVD (CVSS v4.0 9.1, AC:H). Dify LLM-app-platform object-level authorization bypass; reuses the AI-app API object-authorization control NEW-CTRL-106 (shared with the Label Studio privilege-escalation chain).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify's trace-config endpoints miss tenant-ownership checks, letting an editor user configure trace settings for any app and redirect victim data (CWE-639 authz bypass); fixed in 1.14.2."
+  },
+  "CVE-2026-41950": {
+    "name": "Dify Chat-Messages Arbitrary File-UUID Cross-User File Read",
+    "type": "Authorization Bypass",
+    "cvss_score": 6.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "VulnCheck (CNA) CVSS v3.1 base 6.5 (MEDIUM, confidentiality-only); VulnCheck also rates it CVSS v4.0 6.0. Dify does not verify ownership of file references in a chat-messages request, so an authenticated user supplies an arbitrary file UUID in the files array and reads the full contents of files uploaded by other users in the same tenant (CWE-639 authorization bypass through user-controlled key / IDOR).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Documented in the disclosing advisory (https://github.com/advisories/GHSA-r2m5-9rwx-269r): an authenticated user reads another user's file by supplying its UUID in a chat-messages request.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via the GitHub Security Advisory / VulnCheck (https://github.com/advisories/GHSA-r2m5-9rwx-269r). The abused surface is Dify, a widely used low-code LLM application-development platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is missing object-level authorization in an LLM app platform's API.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Advisory disclosure with a coordinated fix; no confirmed in-the-wild exploitation reported as of curation.",
+    "affected": "Dify before 1.14.0.",
+    "affected_versions": [
+      "Dify < 1.14.0"
+    ],
+    "vector": "Dify accepts a file UUID in the files array of a chat-messages request without verifying that the requesting user owns that file, so an authenticated user supplies an arbitrary UUID and reads the full contents of files uploaded by other users within the same tenant - an insecure-direct-object-reference authorization bypass (CWE-639).",
+    "complexity": "low",
+    "complexity_notes": "VulnCheck AV:N / AC:L / PR:L - an authenticated user in the tenant supplies an arbitrary file UUID.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "Remediation is upgrading to 1.14.0 or later; redeploy, no host reboot.",
+    "vendor_update_paths": [
+      "Upgrade Dify to 1.14.0 or later. Enforce object-level authorization on every API that references an object by caller-supplied id: verify the requesting user owns each file UUID before returning its contents."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement does not verify ownership of the file referenced by a caller-supplied UUID (CWE-639).",
+      "NIST-800-53-AC-6": "Least-privilege is not enforced - an ordinary authenticated user can read another user's file contents.",
+      "NIST-800-53-SC-28": "Protection of information does not prevent cross-user access to data via a user-controlled key.",
+      "ISO-27001-2022-A.5.15": "Access control does not enforce object-level authorization on the LLM app platform's API.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not prevent object-level authorization bypass in AI apps.",
+      "DORA-Art-9": "ICT protection measures do not model cross-user data disclosure in an AI app as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no objective for object-level authorization on AI app-platform APIs.",
+      "AU-ISM-1546": "Patch-application control does not single out LLM app platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an LLM app platform's object-level authorization (ownership checks on user-controlled keys) as an integrity control."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078",
+      "T1213"
+    ],
+    "rwep_score": 21,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 16,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Moderate (RWEP 21, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, patched at disclosure (Hard Rule #3): poc_available=20 + blast_radius=16, minus patch_available 15. Object-level authorization bypass (CWE-639) - cross-user file read.",
+    "epss_score": null,
+    "epss_date": "2026-05-26",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2026-41950",
+    "cwe_refs": [
+      "CWE-639"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Dify chat-messages requests whose files array references file UUIDs not uploaded by the requesting user.",
+        "Dify returning file contents belonging to other users in the same tenant.",
+        "Dify < 1.14.0 with multiple users sharing a tenant - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the GitHub Security Advisory / VulnCheck (https://github.com/advisories/GHSA-r2m5-9rwx-269r) and NVD CVE-2026-41950 (CWE-639)."
+    },
+    "source_verified": "2026-05-26",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2026-41950",
+      "https://github.com/advisories/GHSA-r2m5-9rwx-269r"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2026-41950",
+        "url": "https://github.com/advisories/GHSA-r2m5-9rwx-269r",
+        "severity": "medium",
+        "published_date": "2026-05-05"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2026-41950",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41950",
+        "severity": "medium",
+        "published_date": "2026-05-05"
+      }
+    ],
+    "last_updated": "2026-05-26",
+    "discovery_attribution_note": "Manually curated from the GitHub Security Advisory (https://github.com/advisories/GHSA-r2m5-9rwx-269r, CWE-639) + VulnCheck (CNA, CVSS v3.1 6.5; v4.0 6.0). Dify LLM-app-platform object-level authorization bypass; reuses the AI-app API object-authorization control NEW-CTRL-106 (shared with the Label Studio privilege-escalation chain).",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Dify reads files by user-supplied UUID in chat-messages without ownership checks, letting an authenticated user read other users' uploaded files in the tenant (CWE-639 IDOR); fixed in 1.14.0."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -3497,7 +3497,10 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "CVE-2026-41947",
+      "CVE-2026-41950"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,

package/data/framework-control-gaps.json

@@ -114,6 +114,8 @@
       "CVE-2026-33017",
       "CVE-2026-34159",
       "CVE-2026-40933",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-45829"
     ],
     "atlas_refs": [
@@ -2221,6 +2223,8 @@
       "CVE-2023-47117",
       "CVE-2025-14847",
       "CVE-2025-22226",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-43284"
     ],
     "atlas_refs": [],
@@ -3884,7 +3888,9 @@
       "CVE-2025-64513",
       "CVE-2026-24206",
       "CVE-2026-24207",
-      "CVE-2026-26190"
+      "CVE-2026-26190",
+      "CVE-2026-41947",
+      "CVE-2026-41950"
     ],
     "atlas_refs": [
       "AML.T0010",
@@ -5187,6 +5193,8 @@
       "CVE-2026-34926",
       "CVE-2026-40933",
       "CVE-2026-41091",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-42897",
       "CVE-2026-42945",
       "CVE-2026-45498",
@@ -5240,6 +5248,8 @@
       "CVE-2025-56520",
       "CVE-2026-33017",
       "CVE-2026-39987",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-7482"
     ],
     "atlas_refs": [
@@ -5497,6 +5507,8 @@
       "CVE-2026-3909",
       "CVE-2026-3910",
       "CVE-2026-41940",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-6973"
     ],
     "atlas_refs": [],
@@ -5538,6 +5550,8 @@
       "CVE-2025-1796",
       "CVE-2025-3248",
       "CVE-2026-33017",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-6973"
     ],
     "atlas_refs": [],
@@ -5892,6 +5906,8 @@
       "CVE-2026-34926",
       "CVE-2026-40933",
       "CVE-2026-41091",
+      "CVE-2026-41947",
+      "CVE-2026-41950",
       "CVE-2026-45498",
       "CVE-2026-45829",
       "CVE-2026-46300",
@@ -6115,7 +6131,9 @@
       "CVE-2025-55241",
       "CVE-2026-24206",
       "CVE-2026-24207",
-      "CVE-2026-33017"
+      "CVE-2026-33017",
+      "CVE-2026-41947",
+      "CVE-2026-41950"
     ],
     "atlas_refs": [],
     "attack_refs": [

package/data/zeroday-lessons.json

@@ -4861,6 +4861,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2026-41947": {
+    "name": "Dify Trace-Config Cross-Tenant Authorization Bypass",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "Dify's trace-configuration endpoints do not verify tenant ownership, so an authenticated editor user configures trace settings for any application and can redirect victim trace data to an attacker-controlled provider.",
+      "privileges_required": "low (an authenticated editor account)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Dify, a low-code LLM application-development platform. The lesson: an LLM app platform's API must enforce object-level authorization (ownership of the tenant/application/file referenced by a caller-supplied key) on every request - here a user-controlled key bypassed it for cross-tenant trace-config tampering / data redirect."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not verify ownership of the object referenced by a caller-supplied key (CWE-639)."
+      },
+      "NIST-800-53-SC-28": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Data is reachable cross-tenant/cross-user via a user-controlled key without an ownership check."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM app platform's object-level authorization as an integrity control whose absence yields cross-tenant/user access."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Multi-tenant LLM app platforms expose rich object-referencing APIs; ownership checks on user-controlled keys (tenant/app/file ids) are frequently missing and rarely audited.",
+      "theater_pattern": "ai_app_broken_object_authorization"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-106",
+        "name": "AI-APP-API-OBJECT-AUTHORIZATION-AND-FIELD-EXPOSURE",
+        "description": "An AI data-platform API (data-labeling, annotation, dataset/registry services) must enforce object-level authorization on every read and must never expose sensitive fields - secrets, session-signing keys, auth tokens, password hashes - through API responses, serializers, or user-controlled query/filter expressions. Use serializer field allowlists (never blanket model serialization), reject ORM/filter inputs that reference fields the caller is not authorized to read, scope every query to the caller's own objects, and store credentials so a read leak is not directly replayable (and rotate exposed secrets). The distinguishing test: as a low-privilege user, craft a filter/query that references another account's password hash or token, and confirm the API refuses it - a platform whose filter/serializer leaks sensitive fields lets an attacker chain disclosure into account impersonation and privilege escalation.",
+        "evidence": "https://github.com/advisories/GHSA-6hjj-gq77-j4qw",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SC-28",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2026-41950": {
+    "name": "Dify Chat-Messages Arbitrary File-UUID Cross-User File Read",
+    "lesson_date": "2026-05-26",
+    "attack_vector": {
+      "description": "Dify accepts a caller-supplied file UUID in a chat-messages request without verifying ownership, so an authenticated user reads files uploaded by other users in the same tenant (IDOR).",
+      "privileges_required": "low (an authenticated tenant user)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is Dify, a low-code LLM application-development platform. The lesson: an LLM app platform's API must enforce object-level authorization (ownership of the tenant/application/file referenced by a caller-supplied key) on every request - here a user-controlled key bypassed it for cross-user file disclosure."
+    },
+    "framework_coverage": {
+      "NIST-800-53-AC-3": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Access enforcement does not verify ownership of the object referenced by a caller-supplied key (CWE-639)."
+      },
+      "NIST-800-53-SC-28": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Data is reachable cross-tenant/cross-user via a user-controlled key without an ownership check."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an LLM app platform's object-level authorization as an integrity control whose absence yields cross-tenant/user access."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "Multi-tenant LLM app platforms expose rich object-referencing APIs; ownership checks on user-controlled keys (tenant/app/file ids) are frequently missing and rarely audited.",
+      "theater_pattern": "ai_app_broken_object_authorization"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-106",
+        "name": "AI-APP-API-OBJECT-AUTHORIZATION-AND-FIELD-EXPOSURE",
+        "description": "An AI data-platform API (data-labeling, annotation, dataset/registry services) must enforce object-level authorization on every read and must never expose sensitive fields - secrets, session-signing keys, auth tokens, password hashes - through API responses, serializers, or user-controlled query/filter expressions. Use serializer field allowlists (never blanket model serialization), reject ORM/filter inputs that reference fields the caller is not authorized to read, scope every query to the caller's own objects, and store credentials so a read leak is not directly replayable (and rotate exposed secrets). The distinguishing test: as a low-privilege user, craft a filter/query that references another account's password hash or token, and confirm the API refuses it - a platform whose filter/serializer leaks sensitive fields lets an attacker chain disclosure into account impersonation and privilege escalation.",
+        "evidence": "https://github.com/advisories/GHSA-6hjj-gq77-j4qw",
+        "gap_closes": [
+          "NIST-800-53-AC-3",
+          "NIST-800-53-SC-28",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-12776": {
     "name": "Dify Unverified Password-Reset Endpoint Account Takeover",
     "lesson_date": "2026-05-26",