CVE-2026-28288 - Vulnerability Details - OpenCVE

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://www.complify.pro/ai-companies
https://www.spirityenterprise.com/pentest
https://www.spirityenterprise.com/managed-detection-response
https://github.com/langgenius/dify/issues/24323
https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx

History

Fri, 27 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Feb 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.
Title		Dify has a user enumeration issue
Weaknesses		CWE-204
References		https://github.com/langgenius/dify/issues/24323 https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx
Metrics		cvssV4_0 `{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-27T20:25:24.599Z

Updated: 2026-02-27T20:45:44.126Z

Reserved: 2026-02-26T01:52:58.735Z

Link: CVE-2026-28288

Vulnrichment

Updated: 2026-02-27T20:44:40.914Z

NVD

Status : Received

Published: 2026-02-27T21:16:18.853

Modified: 2026-02-27T21:16:18.853

Link: CVE-2026-28288

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28288", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.735Z", "datePublished": "2026-02-27T20:25:24.599Z", "dateUpdated": "2026-02-27T20:45:44.126Z"}, "containers": {"cna": {"title": "Dify has a user enumeration issue", "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "lang": "en", "description": "CWE-204: Observable Response Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx"}, {"name": "https://github.com/langgenius/dify/issues/24323", "tags": ["x_refsource_MISC"], "url": "https://github.com/langgenius/dify/issues/24323"}], "affected": [{"vendor": "langgenius", "product": "dify", "versions": [{"version": "< 1.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:25:24.599Z"}, "descriptions": [{"lang": "en", "value": "Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue."}], "source": {"advisory": "GHSA-9qpf-wcv3-w3qx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T20:44:24.552212Z", "id": "CVE-2026-28288", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:45:44.126Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28288", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T20:44:24.552212Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:44:40.914Z"}}], "cna": {"title": "Dify has a user enumeration issue", "source": {"advisory": "GHSA-9qpf-wcv3-w3qx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "langgenius", "product": "dify", "versions": [{"status": "affected", "version": "< 1.9.0"}]}], "references": [{"url": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx", "name": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langgenius/dify/issues/24323", "name": "https://github.com/langgenius/dify/issues/24323", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204: Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:25:24.599Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28288", "state": "PUBLISHED", "dateUpdated": "2026-02-27T20:45:44.126Z", "dateReserved": "2026-02-26T01:52:58.735Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T20:25:24.599Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue."}], "id": "CVE-2026-28288", "lastModified": "2026-02-27T21:16:18.853", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-27T21:16:18.853", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/langgenius/dify/issues/24323"}, {"source": "security-advisories@github.com", "url": "https://github.com/langgenius/dify/security/advisories/GHSA-9qpf-wcv3-w3qx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "security-advisories@github.com", "type": "Primary"}]}