CVE-2026-28288 – Dify has a user enumeration issue

CVE ID : CVE-2026-28288

Published : Feb. 27, 2026, 9:16 p.m. | 19 minutes ago

Description : Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.

Severity: 5.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…