Security Advisory

CVE-2025-63386

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-12-18 00:00:00
Last updated 2026-02-11 14:09:22
Assigner mitre
State PUBLISHED

Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.