{"id":"CVE-2025-32795","summary":"Dify Allows Insecure User Role Access Control for APP Editing","details":"Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users are improperly granted permissions to edit APP names, descriptions and icons. This access control flaw allows non-admin users to modify app details, despite being restricted from viewing apps, which poses a security risk to the integrity of the application. This issue has been patched in version 0.6.12. A workaround for this vulnerability involves updating the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can modify app details.","aliases":["GHSA-gg5w-m2vw-vmmj"],"modified":"2026-04-10T05:25:14.321666Z","published":"2025-04-18T16:05:11.644Z","database_specific":{"cwe_ids":["CWE-284"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32795.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32795.json"},{"type":"ADVISORY","url":"https://github.com/langgenius/dify/security/advisories/GHSA-gg5w-m2vw-vmmj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32795"},{"type":"FIX","url":"https://github.com/langgenius/dify/pull/5266"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/langgenius/dify","events":[{"introduced":"0"},{"fixed":"6d0cea5fe60e1b2290f7af724c50ce8297f31d7f"}]}],"versions":["0.2.1","0.2.2","0.3.0","0.3.1","0.3.10","0.3.11","0.3.12","0.3.13","0.3.14","0.3.15","0.3.16","0.3.17","0.3.18","0.3.19","0.3.2","0.3.20","0.3.21","0.3.22","0.3.23","0.3.24","0.3.25","0.3.26","0.3.27","0.3.28","0.3.29","0.3.3","0.3.30","0.3.31","0.3.31-fix1","0.3.31-fix2","0.3.31-fix3","0.3.32","0.3.33","0.3.34","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.4.8","0.4.9","0.5.0","0.5.1","0.5.10","0.5.11","0.5.11-fix1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.5.8","0.5.9","0.6.0","0.6.0-fix1","0.6.1","0.6.10","0.6.11","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32795.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}