If you believe you have found a security vulnerability in Dify, please report it privately through GitHub Security Advisories:

https://github.com/langgenius/dify/security/advisories/new

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

When submitting a report, include as much relevant information as you can safely provide, such as:

• A description of the vulnerability
• Steps to reproduce, if safe to share privately
• Affected components, versions, or configurations
• Potential impact
• Any suggested mitigation or fix, if available

The maintainers will review reports submitted through GitHub Security Advisories and coordinate follow-up there.

Please avoid publicly disclosing details of a vulnerability until it has been reviewed and, where appropriate, a fix or mitigation has been made available.

Security fixes may be released through normal project releases or other appropriate channels. Users are encouraged to keep Dify deployments up to date.