CVE-2026-21866 in dify
Summary
by MITRE • 03/04/2026
Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2026-21866 represents a critical stored cross-site scripting flaw within the Dify open-source large language model application development platform. This issue affects versions prior to 1.11.2 and specifically manifests when the platform renders Mermaid diagrams within chat interfaces. The security implications are significant as it enables attackers to inject malicious scripts that persist within the application's stored content, creating a long-term threat vector for users interacting with affected systems.
The technical root cause of this vulnerability stems from Dify's default Mermaid configuration which employs securityLevel: loose parameter settings. This configuration choice fundamentally undermines the platform's security posture by allowing potentially unsafe content execution within the rendering context. The Mermaid.js library, when configured with loose security settings, permits the execution of embedded javascript code and other dangerous markup elements that would normally be sanitized or blocked in more secure configurations. This represents a classic configuration vulnerability where default security settings are intentionally permissive rather than restrictive.
The operational impact of this stored XSS vulnerability extends beyond simple script execution capabilities. Attackers can leverage this flaw to steal user sessions, redirect victims to malicious websites, deface content, or even escalate privileges within the application context. Since the vulnerability operates within chat interfaces where users might interact with diagrams generated by other users, it creates a vector for social engineering attacks and persistent malicious content delivery. The stored nature of the vulnerability means that once exploited, the malicious payload remains active until manually removed or the platform is updated to version 1.11.2.
Organizations utilizing Dify platforms must urgently implement mitigation strategies to address this vulnerability. The primary and most effective remediation involves updating to version 1.11.2 or later where the securityLevel parameter has been properly configured to prevent unsafe content execution. Additionally, administrators should consider implementing additional security controls such as content security policy headers, input sanitization mechanisms, and regular security audits of rendered content. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and maps to ATT&CK technique T1566.001 for initial access through malicious content. The incident underscores the importance of secure configuration management and the principle of least privilege in web application security, particularly when dealing with libraries that support dynamic content rendering and user-generated markup processing.