CVE-2026-6618 | langgenius dify up to 1.13.3 ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle url server-side request forgery

A vulnerability was found in langgenius dify up to 1.13.3. It has been declared as critical. This issue affects the function parse_openai_plugin_json_to_tool_bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery.

This vulnerability is tracked as CVE-2026-6618. The attack can be launched remotely. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More