Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.
PostgreSQL login credentials (username and password) are stored in plain text in the docker-compose.yaml file, which is publicly available in the source code repository. An attacker who knows these default credentials can attempt to connect directly to the PostgreSQL instance. The supplier notes that starting from version 1.0.1, the Docker configuration does not expose TCP port 5432 externally by default, which limits the scope of the vulnerability in newer configurations.
An attacker with access to the PostgreSQL port can gain full control over the application database, leading to compromise of confidentiality, integrity, and availability of stored data — including potentially user data, API keys, and system configuration.
Immediately change the default PostgreSQL credentials to strong, unique passwords. Ensure that port 5432 is not exposed publicly — according to the supplier's information, version 1.0.1 and newer do not expose this port externally by default. Apply patches available from the supplier according to the provided references and verify the docker-compose.yaml configuration for any hardcoded credentials.
Langgenius Dify versions through 1.5.1, particularly docker-compose based installations where the PostgreSQL port (TCP 5432) is accessible from an external network.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLanggenius Dify
APPLanggenius≤ 1.5.1
Related vulnerabilities
Błędna konfiguracja CORS w Dify — endpoint /console/api/setup
Błędna konfiguracja CORS w Dify — nieograniczony dostęp cross-origin z uwierzytelnieniem
Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requ...
langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing executi...
Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access ...