CVE-2026-26023 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2026-26023?

CVE-2026-26023 has a CVSS score of 6.1 (MEDIUM). This is a cross-site scripting (XSS) vulnerability in Dify's web chat frontend when using echarts. It allows attackers to execute arbitrary JavaScript code in users' browsers by injecting malicious payloads through user or LLM inputs. All Dify instances running versions before 1.13.0 with the vulnerable echarts integration are affected.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Dify's web chat frontend when using echarts. It allows attackers to execute arbitrary JavaScript code in users' browsers by injecting malicious payloads through user or LLM inputs. All Dify instances running versions before 1.13.0 with the vulnerable echarts integration are affected.

💻 Affected Systems

Products:

Dify

Versions: All versions prior to 1.13.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances using the web chat frontend with echarts visualization components.

📦 What is this software?

Dify by Dify

View all CVEs affecting Dify →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on users' systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the chat interface through injected content.

🟢

If Mitigated

Limited to UI manipulation within the chat interface if proper content security policies are enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction or LLM input containing the specific echarts JavaScript payload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.13.0

Vendor Advisory: https://github.com/langgenius/dify/security/advisories/GHSA-qqjx-5h5w-x5vj

Restart Required: No

Instructions:

1. Backup your Dify instance. 2. Update to version 1.13.0 or later using your deployment method (Docker, Kubernetes, etc.). 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable echarts in chat

all

Temporarily disable echarts visualization components in the chat interface

Implement Content Security Policy

all

Add strict CSP headers to prevent script execution from untrusted sources

🧯 If You Can't Patch

Implement input validation and sanitization for all user and LLM inputs
Deploy a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if Dify version is below 1.13.0 and echarts is enabled in chat configuration

Check Version:

Check Dify admin panel or deployment configuration for version information

Verify Fix Applied:

Confirm version is 1.13.0 or higher and test chat functionality with various inputs

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript patterns in chat inputs
Multiple failed echarts rendering attempts

Network Indicators:

Suspicious script tags in HTTP requests to chat endpoints

SIEM Query:

source="dify" AND ("echarts" OR "javascript:") AND status=200

📊 Metadata

CVE ID: CVE-2026-26023

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.5th percentile)

Published: February 11, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/langgenius/dify/commit/378a1d7d08bd0ac5c75eaadc075a0f35211fcb8e Patch
https://github.com/langgenius/dify/releases/tag/1.13.0 Product,Release Notes
https://github.com/langgenius/dify/security/advisories/GHSA-qqjx-5h5w-x5vj Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26023, you might also want to check these: