v3.11.0
LatestNon-skippable
Released Jun 30, 2026·Community 1.15.0·Community commit 64e29f2·Enterprise 0.18.0·Helm chart·Docker Compose
Breaking
3 to verify
Security
Issues
Changes
8F · 2B
Downtime
required
Upgrade Impact
Breaking:This release requires mandatory database migrations. The application is unusable until they complete: workspace members have no RBAC roles (access denied), dataset permissions are not mapped to RBAC, and plugin auto-upgrade state is uninitialized. Plan a maintenance window and run all migrations immediately after upgrade, before restoring traffic.
RBAC: Member Role Migration Required (mandatory)Workspace Role-Based Access Control replaces the legacy fixed member roles. Until
flask rbac-migrate-member-roles runs, existing members map to no RBAC role and access is denied across workspaces, so the app is effectively down. See Migration Notes for instructions.
RBAC: Dataset Permission Migration Required (mandatory)RBAC also governs dataset access. Until
flask rbac-migrate-dataset-permissions --apply runs, legacy dataset permissions (all-team / partial-members / only-me) are not mapped to RBAC dataset access bindings, so knowledge base access is incorrect under RBAC. See Migration Notes for instructions.
Plugin Auto-Upgrade Backfill Required (mandatory)Run
flask backfill-plugin-auto-upgrade from the Dify API container immediately after upgrading to initialize plugin auto-upgrade state for existing installations.
What Changed
10New Features
RBAC: Workspace Role-Based Access ControlWorkspaces now support fine-grained Role-Based Access Control. Administrators can define custom roles and permission sets, assign resource-level access (apps, knowledge bases, tools, credentials, monitoring), and manage role assignment from both the workspace UI and the enterprise admin console. Includes system-preset roles, multi-language role/permission templates, resource default access policies, and per-resource ACLs. When RBAC is disabled, the product falls back to legacy role behavior.
Community Edition 1.15.0 BaseThis release upgrades the Dify base to Community Edition 1.15.0. All upstream 1.15.0 features and fixes are now part of the enterprise distribution.
difyctl: Command-Line ClientA new command-line client lets users invoke apps and workflows directly from the terminal without the web UI. Available for macOS, Linux, and Windows with checksum-verified releases.
Chain-of-Thought Reasoning VisualizationChat flows and workflows can now stream model reasoning into a dedicated thinking panel while keeping the final answer clean. Reasoning persists across page refreshes and displays consistently in CLI and workflow previews.
Human-in-the-Loop: Dropdowns and File UploadsWorkflow pause forms now support dropdown selections and file uploads in addition to text inputs, so reviewers can give structured responses and attach files during human review steps.
Long-Running Model SupportWorkflows now accommodate slow models such as image and video generation through polling, waiting for results instead of timing out.
Knowledge Import: Excel Embedded Image ExtractionKnowledge import now extracts images embedded inside Excel files, so diagram-based content that was previously dropped is retained.
Observability: Custom Trace Session IDs and Retrieval TracingUsers can set custom trace session IDs for Phoenix, and document-retrieval steps are now traceable for better RAG transparency.
Bug Fixes
Security: Path Traversal in Plugin Daemon Forwarding (CVE-2026-41948)Fixed CVE-2026-41948, a path traversal vulnerability in plugin-daemon request forwarding, inherited from the Community Edition 1.15.0 base.
Workflow and RAG Stability ImprovementsHardened HTTP timeouts, fixed vector store compatibility issues, refined workflow execution error handling, and reduced workflow startup and termination latency.
Upgrade Guide
Pre-Upgrade Checklist
Back up PostgreSQL database and Redis data
Confirm Kubernetes cluster has sufficient resources for rolling update
Schedule a maintenance window; the application is unusable until the migrations below complete
Immediately after upgrade, run
flask rbac-migrate-member-roles (mandatory; members have no access until this finishes)Then run
flask rbac-migrate-dataset-permissions --apply (mandatory; dataset access is incorrect under RBAC until this finishes)Then run
flask backfill-plugin-auto-upgrade (mandatory) before restoring trafficUpgrade Command
# Back up database first, then:
$ helm upgrade -i dify -f values.yaml dify-ee/dify --version 3.11.0
Rollback
$ helm rollback dify 0
Security & CVE
Security vulnerabilities found in this release.9 Critical · 32 High CVE across all container images
Image
low
2
0
0
1
0
0
2
2
2
0
0
1
3
0
0
1
3
0
Status
FAIL
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
FAIL
FAIL
PASS
PASS
FAIL
FAIL
PASS
ScannerDocker Scout
Scanned
Jun 30, 2026
Data Source
Docker
Benchmark Report
TTFE – Time To First Event (ms)
AVG
143.31
MIN
129
MAX
164
P50
137
P90
161.8
P95
163.4
Connections
Max Concurrent
18
Avg Active
17.5
Empty Workflow QPS
Max QPS
20.8
Avg QPS
19.99
Avg Duration (ms)
144.09
License Compliance
All dependencies compliant - no copyleft issues detected
Apache-2.0MITBSD-3-ClauseMPL-2.0BSD-2-ClauseISCCC0-1.0