v3.10.0

LatestNon-skippable

Released May 28, 2026·Community 1.14.1·Community commit 7b551da·Enterprise 0.17.0·Helm chart·Docker Compose

Breaking

2 to verify

Security

Issues

Changes

7F · 13B

Downtime

required

Upgrade Impact

7 features · 13 fixes

Breaking:This release has breaking changes requiring manual action for Docker Compose deployments and Dify databases with legacy model_type values.

Dify DB: model_type Legacy Value Migration RequiredCE 1.14.1 enforces canonical model_type values in the Dify database. If your database contains legacy values (text-generation, embeddings, reranking), run flask data-migrate legacy-model-types from the Dify API container after upgrading. Enterprise DB: no migration needed. See Migration Notes in the Upgrade Guide for full instructions.

Docker Compose: New env_file ArchitectureThe Docker Compose package now uses an env_file-based architecture (aligned with CE 1.14.1). If you upgrade by replacing all files except .env (standard procedure), no action is needed. If you manage files manually, ensure files envs/enterprise/* are properly set up or overwritten in .env before starting the stack or Docker Compose will refuse to start.

What Changed

New Features

Enterprise Observability: OpenTelemetry Tracing and MetricsEnterprise backend services now emit unified OpenTelemetry traces and metrics for remote calls and database access, making it easier to pinpoint performance bottlenecks in production. Configured via standard OTEL environment variables; both Helm and Docker Compose templates updated.

Redis Sentinel and Redis Cluster Support for Enterprise ServicesEnterprise Go services now support Redis Sentinel for high-availability Redis deployments. The EVENT_BUS component can additionally be configured to use a separate Redis Cluster. Helm and Docker Compose configurations have been updated with a unified Redis/MQ schema to support these modes. Note: full end-to-end Redis Cluster is not yet supported — only EVENT_BUS can be independently configured to use a Redis Cluster.

Helm: PGVector External Vector Database SupportThe Helm chart now supports configuring an external PGVector instance as the vector database backend, giving operators control over vector storage placement and configuration.

Kubernetes: DifyPlugin Scale Sub-Resource for HPAThe DifyPlugin custom resource now implements the Kubernetes scale sub-resource, enabling customers to integrate Horizontal Pod Autoscaler (HPA) directly with plugin deployments without custom controller logic.

Kubernetes: Dynamic Kubeconfig Token RotationEnterprise services now support automatic kubeconfig reloading, enabling dynamic token rotation scenarios. Previously, kubeconfig-based authentication did not handle token refresh correctly, requiring pod restarts when credentials rotated.

Plugin Management: Select All WorkspacesThe enterprise admin plugin management page now supports selecting all workspaces at once when installing or assigning plugins, eliminating per-workspace selection for large deployments.

Workflow: Graph Initialization Performance ImprovedOptimized graph initialization logic to reduce startup latency for complex workflows with many nodes.

Bug Fixes

Security: SQL Injection Prevention in Model Credential APIThe enterprise gRPC endpoints CreateCredential and UpdateCredential now validate the customer_model_type field against a strict whitelist. Previously, a malformed value containing SQL injection characters could be written to the provider_models table, causing all downstream model-dependent APIs to return invalid_param errors requiring manual database intervention to recover.

Password Reset Fails After Dify UpgradeFixed a SQLAlchemy session management issue in the password reset flow that caused reset requests to fail following a Dify version upgrade.

Offline Environment: Plugin Install and Knowledge Pipeline Conversion FailFixed two bugs in air-gapped deployments. The enterprise admin backend no longer contacts marketplace.dify.ai when installing or assigning plugins, eliminating context deadline exceeded timeouts. Knowledge base-to-pipeline conversion no longer triggers marketplace queries in offline mode, resolving the 500 Internal Server Error.

Multimodal Knowledge Base: Images Not Accessible in BrowserFixed an issue where images in multimodal knowledge base documents were stored with the internal Kubernetes hostname (dify-api:5001) in their URLs, making them unreachable from user browsers. Image URLs now use the externally accessible domain.

OTLP Endpoint: Scheme-Prefixed URLs Now AcceptedThe OpenTelemetry endpoint validator previously rejected any URL containing :// (e.g., http://), blocking integrations with providers such as Alibaba Cloud ARMS that require a full URL with scheme. The validator now accepts http:// and https:// prefixed URLs correctly.

Collector: Pod Fails to Start When Postgres Password Contains Special CharacterFixed a URL parsing error in the enterprise collector that caused the pod to crash on startup when the Postgres connection string password contained a # character. The character was misinterpreted as a port separator, producing an "invalid port" parse error.

License: Spurious Reactivation Prompt After Pod RestartFixed a bug where restarting enterprise pods could trigger a license reactivation prompt due to a duplicate entry constraint violation on the cluster_id field in the licenses table. Duplicate cluster_id inserts on pod restart are now skipped, preventing the constraint violation.

Credentials: Multiple Default Credentials Can Be Set SimultaneouslyFixed a race condition in workspace credential management that allowed multiple members to each set their own credential as the default at the same time, resulting in more than one active default credential per workspace.

Plugin Daemon: Decode Endpoint Parameter Location MismatchFixed two mismatches between the enterprise service and plugin daemon API contract: the plugin_unique_identifier parameter on the decode/from_identifier endpoint was updated from request body to query parameter, and a separate parameter was migrated from body to form encoding. The enterprise service now sends both parameters in the correct location.

Plugin Installation: Compatible with uv Package ManagerPlugin installation now works correctly when uv is configured as the Python package manager, resolving failures in deployments that use uv instead of pip.

Code Node: Environment Variable References Display IncorrectlyFixed a frontend display bug in the workflow code node where references to environment variables and input parameters appeared malformed in the editor UI. The references were functional at runtime but rendered incorrectly, causing confusion during workflow authoring.

Knowledge Base: Incorrect Maximum Upload File Count DisplayedFixed a UI bug where the knowledge base upload dialog showed an inaccurate maximum number of files allowed per batch. The displayed limit now correctly reflects the configured value.

Model Credential: Context Length Lost When EditingFixed an issue where the configured context length value for a model credential was lost (reverted to empty) after editing and saving the credential. The context length is now correctly preserved through credential update operations.