Skip to main content

v3.11.0

LatestNon-skippable
Released Jun 30, 2026·Community 1.15.0·Community commit 64e29f2·Enterprise 0.18.0·Helm chart·Docker Compose
Breaking
3 to verify
Security
Issues
Changes
8F · 2B
Downtime
required

Upgrade Impact

8 features · 2 fixes
Breaking:This release requires mandatory database migrations. The application is unusable until they complete: workspace members have no RBAC roles (access denied), dataset permissions are not mapped to RBAC, and plugin auto-upgrade state is uninitialized. Plan a maintenance window and run all migrations immediately after upgrade, before restoring traffic.
RBAC: Member Role Migration Required (mandatory)Workspace Role-Based Access Control replaces the legacy fixed member roles. Until flask rbac-migrate-member-roles runs, existing members map to no RBAC role and access is denied across workspaces, so the app is effectively down. See Migration Notes for instructions.
RBAC: Dataset Permission Migration Required (mandatory)RBAC also governs dataset access. Until flask rbac-migrate-dataset-permissions --apply runs, legacy dataset permissions (all-team / partial-members / only-me) are not mapped to RBAC dataset access bindings, so knowledge base access is incorrect under RBAC. See Migration Notes for instructions.
Plugin Auto-Upgrade Backfill Required (mandatory)Run flask backfill-plugin-auto-upgrade from the Dify API container immediately after upgrading to initialize plugin auto-upgrade state for existing installations.

What Changed

10
New Features
Bug Fixes
Security: Path Traversal in Plugin Daemon Forwarding (CVE-2026-41948)Fixed CVE-2026-41948, a path traversal vulnerability in plugin-daemon request forwarding, inherited from the Community Edition 1.15.0 base.
Workflow and RAG Stability ImprovementsHardened HTTP timeouts, fixed vector store compatibility issues, refined workflow execution error handling, and reduced workflow startup and termination latency.

Upgrade Guide

Pre-Upgrade Checklist
Back up PostgreSQL database and Redis data
Confirm Kubernetes cluster has sufficient resources for rolling update
Schedule a maintenance window; the application is unusable until the migrations below complete
Immediately after upgrade, run flask rbac-migrate-member-roles (mandatory; members have no access until this finishes)
Then run flask rbac-migrate-dataset-permissions --apply (mandatory; dataset access is incorrect under RBAC until this finishes)
Then run flask backfill-plugin-auto-upgrade (mandatory) before restoring traffic
Upgrade Command

# Back up database first, then:

$ helm upgrade -i dify -f values.yaml dify-ee/dify --version 3.11.0

Rollback

$ helm rollback dify 0

Security & CVE

Full CVE report →
Security vulnerabilities found in this release.9 Critical · 32 High CVE across all container images
ScannerDocker Scout
Scanned
Jun 30, 2026
Data Source
Docker
TTFE – Time To First Event (ms)
AVG
143.31
MIN
129
MAX
164
P50
137
P90
161.8
P95
163.4
Connections
Max Concurrent
18
Avg Active
17.5
Empty Workflow QPS
Max QPS
20.8
Avg QPS
19.99
Avg Duration (ms)
144.09

License Compliance

Full license report →
All dependencies compliant - no copyleft issues detected
Apache-2.0MITBSD-3-ClauseMPL-2.0BSD-2-ClauseISCCC0-1.0
© 2026 Dify All rights reserved.Enterprise release information is confidential. Do not distribute externally.