{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-14T08:53:15.853","vulnerabilities":[{"cve":{"id":"CVE-2024-11821","sourceIdentifier":"security@huntr.dev","published":"2025-03-20T10:15:25.563","lastModified":"2025-07-14T17:25:30.823","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint /console/api/apps/{chatbot-id}/model-config, allowing unauthorized users to alter chatbot configurations."},{"lang":"es","value":"Existe una vulnerabilidad de escalada de privilegios en langgenius/dify versión 0.9.1. Esta vulnerabilidad permite a un usuario normal modificar las instrucciones de Orchestrate para un chatbot creado por un usuario administrador. El problema surge porque la aplicación no aplica correctamente los controles de acceso en el endpoint /console/api/apps/{chatbot-id}/model-config, lo que permite que usuarios no autorizados alteren la configuración del chatbot."}],"metrics":{"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security@huntr.dev","type":"Secondary","description":[{"lang":"en","value":"CWE-250"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:langgenius:dify:0.9.1:*:*:*:*:node.js:*:*","matchCriteriaId":"D53CCA1B-6A3C-49A8-82B0-419588788AE3"}]}]}],"references":[{"url":"https://huntr.com/bounties/76d5986d-3882-4ea7-81cb-f00400e5c6b6","source":"security@huntr.dev","tags":["Exploit","Third Party Advisory"]}]}}]}