CRITICAL🇵🇱 Wersja polska

CVE-2025-56157

CVSS 9.8v3.1pub. 2025-12-18upd. 2026-07-05

Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later.

🤖 AI Analysis
How it works

PostgreSQL login credentials (username and password) are stored in plain text in the docker-compose.yaml file, which is publicly available in the source code repository. An attacker who knows these default credentials can attempt to connect directly to the PostgreSQL instance. The supplier notes that starting from version 1.0.1, the Docker configuration does not expose TCP port 5432 externally by default, which limits the scope of the vulnerability in newer configurations.

Impact

An attacker with access to the PostgreSQL port can gain full control over the application database, leading to compromise of confidentiality, integrity, and availability of stored data — including potentially user data, API keys, and system configuration.

Mitigation & patch

Immediately change the default PostgreSQL credentials to strong, unique passwords. Ensure that port 5432 is not exposed publicly — according to the supplier's information, version 1.0.1 and newer do not expose this port externally by default. Apply patches available from the supplier according to the provided references and verify the docker-compose.yaml configuration for any hardcoded credentials.

Who is affected

Langgenius Dify versions through 1.5.1, particularly docker-compose based installations where the PostgreSQL port (TCP 5432) is accessible from an external network.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Langgenius Dify

    APP
    Langgenius
    ≤ 1.5.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Container
CWE
References

Related vulnerabilities

CVE-2025-63386CRITICAL9.1PL ✓ten sam produkt

Błędna konfiguracja CORS w Dify — endpoint /console/api/setup

CVE-2025-63388CRITICAL9.1PL ✓ten sam produkt

Błędna konfiguracja CORS w Dify — nieograniczony dostęp cross-origin z uwierzytelnieniem

CVE-2025-63387HIGH7.5ten sam produkt

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requ...

CVE-2025-3466HIGH7.2ten sam produkt

langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing executi...

CVE-2025-43862HIGH7.6ten sam produkt

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access ...