Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
Dify API Leaks Email Addresses Before Version 1.9.0
CVE-2026-28288
Summary
Dify's API used to send different responses for existing and non-existent user emails. This made it possible for an attacker to figure out if an email address is registered with Dify. The issue was fixed in version 1.9.0, so update to that version or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| dify | dify | <= 1.9.0 | – |
Original title
Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses regi...
Original description
Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.
nvd CVSS4.0
5.5
Vulnerability type
CWE-204
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026