CVE-2024-11821

low-risk

Published 2025-03-20

A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint /console/api/apps/{chatbot-id}/model-config, allowing unauthorized users to alter chatbot configurations.

Do I need to act?

0.09% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Dify

Affected Vendors

Langgenius

References (1)

Exploit https://huntr.com/bounties/76d5986d-3882-4ea7-81cb-f00400e5c6b6

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal